goals for today
play

Goals for Today Learning Objective: Understand the importance of - PowerPoint PPT Presentation

Mar 02, 2024 •363 likes •661 views

Goals for Today Learning Objective: Understand the importance of auditing to computer security Explore Linux Audit Framework components Learn the gist of causal analysis of audit logs Announcements, etc: MP4 out! Due May 6th

  1. Goals for Today • Learning Objective: • Understand the importance of auditing to computer security • Explore Linux Audit Framework components • Learn the gist of causal analysis of audit logs • Announcements, etc: MP4 out! Due May 6th (UTC-11)… 17 days! • Final Exam — MAY 9TH @ 7PM, SIEBEL 1404 • Reminder : Please put away devices at the start of class CS 423: Operating Systems Design 1

  2. CS 423 
 Operating System Design: Auditing Frameworks Professor Adam Bates CS 423: Operating Systems Design

  3. Computer Security Technology Planning Study, 1972 “The emphasis on an audit capability is a reflection of the desire to conduct security surveillance operations in a resource sharing system in order to detect breaches of security or penetration attempts… To date the emphasis on instrumentation has been for system performance measurement. While it can be seen that a security audit capability requires many of the same points of measurement, the security audit differs in what is recorded, and more importantly how it relates the measurement to the real world of users, terminals, communications lines, etc. Further, from a security audit viewpoint, while all possible measurements are not of interest all of the time, all possible measurement; will be of interest (not all at once) at some time.” - James Anderson CS 423: Operating Systems Design 3

  4. Auditing Motivation • Even in the Multics project, violations of security policy were expected and anticipated. • When violations occur, we need a way to detect, investigate, and respond to such incidents. • “Perfect Security” would not require auditing, but even at the height of secure system design it was acknowledged that this was unattainable. CS 423: Operating Systems Design 4

  5. Recent Cyber Attacks • Equifax (2017) • 145 million Americans’ data was stolen • WannaCry (2017) • Ransomware attack spanning 150 countries • Hackers demanded money to unlock files • A Yahoo Bombshell • 3 billion accounts were stolen • Hacked in 2013… didn’t find out until 2016!! CS 423: Operating Systems Design 5

  6. Recent Cyber Attacks Every organization wants to keep their name off of this chart! Societal Impact: Financial Political National Security Political Source: World’s Biggest Data Breaches, Information is Beautiful Security & Privacy Research at Illinois (SPRAI) 6

  7. Advanced Persistent Threats 5 Stages of an APT attack: 1. Reconnaissance Understand about the target using social media or company’s website • 2. Incursion • Enters into victim’s system using different attack vectors ( e.g. social engineering) 3. Discovery The attackers stay low and operate patiently in order to avoid detection • 4. Capture Hackers access unprotected systems and capture data over an extended • period of time 5. Exfiltration Finally, captured information is sent back to the attack team’s home base for • analysis CS 423: Operating Systems Design 7

  8. Advanced Persistent Threats Insight: Many data breaches take 3me to execute… …. crea3ng an opportunity for defenders to repel the a=ack. Equifax Data Breach Timeline 2017 Hackers in Detected, Equifax Servers Patched Breached Announced apr may jun jul aug sep oct CS 423: Operating Systems Design 8

  9. System Auditing • Provides record of events to enable attack investigation and reconstruction • Audit logs describe data’s life cycle: • Modification • Deletions • Creations • Also describes relationships between processes • We can analyze audit logs to identify relationships and dependencies between different system events! CS 423: Operating Systems Design 9

  10. Linux Audit Framework • Linux Audit creates audit records inside the kernel • Available on vanilla Linux kernels > version 2.6 • It collects information regarding: • Kernel event (System calls) • User events (Audit-enable programs) • Does not provide additional security in and of itself — e.g., it does not protect your system from unauthorized data accesses. CS 423: Operating Systems Design 10

  11. Linux Audit Use Cases • Watching File Accesses : Audit can track whether a directory or file has been accessed, modified, exec’d. • Monitor System Calls : Generate a log entry every time a particular system cal is used. • Monitor Network Access : iptables and ebtables can be configured to trigger audit events. • Record commands run by user terminals CS 423: Operating Systems Design 11

  12. How Linux Audit Works • Auditing hooks around the kernel intercept system calls and records the relevant context • Where are audit hooks placed relative to security hooks? • The auditd daemon ingests kernel events via a netlink socket and writes the audit reports to disk/network. • Various command line utilities take care of displaying, querying, and archiving the audit trail. CS 423: Operating Systems Design 12

  13. Linux Audit Framework ?+1 Application auditd Logs syscall syscall User-space ? return 1 netlink Kernel audit filter 4 ? Syscall 2 3 kauditd processing CS 423: Operating Systems Design 13

  14. Linux Audit Filtering All hooks are defined, but may not be triggered based on active audit configuration…. CS 423: Operating Systems Design 14

  15. Linux Audit Utilities • auditctl — utility for managing the auditd daemon; returns information on the audit subsystem’s current status and can be used to add and delete rules • ausearch — utility for searching for events in log files • aureport — utility for generating reports on the audit system • autrace — utility for tracing a specific process with custom rules (think strace ) • audisp — ‘multiplexor’ that sends events to other programs that want to analyze events in realtime CS 423: Operating Systems Design 15

  16. Linux Audit Utilities CS 423: Operating Systems Design 16

  17. Creating Rules • auditctl is command line utility to : • Control behaviour of audit daemon (auditd) • Add and remove audit rules • There are two main types of rules: • File system audit rules • System call audit rules CS 423: Operating Systems Design 17

  18. File System Rules • File System rules are sometimes called watches. • Used to audit access to particular files or directories that you may be interested in. • The syntax of these rules generally follow this format: -w path-to-file -p permissions -k keyname • permission are any of the following: r - read of the file w - write to the file x - execute the file a - change in the file's attribute • CS 423: Operating Systems Design 18

  19. System Call Rules • Loaded into a matching engine that intercepts each syscall that programs make. • Very important to only use syscall rules when you have to since these affect performance. • The syntax of these rules generally follow this format: -a action,list -S syscall -F field=value -k keyname • To see files opened by a specific user: -a exit,always -S open -F auid=l337 • To see unsuccessful open calls: -a exit,always -S open -F success=0 CS 423: Operating Systems Design 19

  20. Linux Audit Example • To track a file by inode number: # auditctl -a exit,always -S open -F inode=`ls -i /etc/auditd.conf | gawk '{print $1}'` # auditctl -l AUDIT_LIST: exit,always inode=1637178 (0x18R3a) syscall=open • When someone opens the file, this message is logged type=PATH msg=audit(1251123553.303:206): item=0 name="/etc/audit/audit.rules" inode=77546 dev=fd:01 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 CS 423: Operating Systems Design 20

  21. aureport example CS 423: Operating Systems Design 21

  22. Resources • Audit manual pages • There are several man pages installed along with the audit tools that provide valuable information about each utility • Linux Audit Project: • http://people.redhat.com/sgrubb/audit/index.html • The SPADE Project (for graph-based analysis) • https://github.com/ashish-gehani/SPADE CS 423: Operating Systems Design 22

  23. Example Audit Log… chromium.exe reads from ip 10.0.0.2 chromium.exe reads from ip 165.10.0.1 chromium.exe reads from ip 91.0.0.2 chromium.exe downloads a.ppt chromium.exe downloads b.doc chromium.exe downloads malware.exe malware.exe reads /etc/passwd malware.exe sends /etc/passwd to ip X.X.X.X CS 423: Operating Systems Design 23

  24. Causal Analysis root cause • Idea: Model related log events as malware.com a causal relationship graph. netrecv Vertices: Files, Processes, etc. • Chrome Edges: System Accesses (e.g., read , • write write write , fork ) /Downloads/ /Downloads/ • Backtrace queries identify root Mal.exe Mal2.exe exec cause of a detection point Mal.exe • Forwardtrace queries identify detection point (alert) netsend full attack footprint starting from a root cause. malserver.com • We call these graphs data provenance [King and Chen, SOSP’03] Security & Privacy Research at Illinois (SPRAI) 24

  25. … as a Causal (Provenance) Graph chromium.exe reads from ip 10.0.0.2 chromium.exe reads from ip 165.10.0.1 chromium.exe reads from ip 91.0.0.2 chromium.exe downloads a.ppt chromium.exe downloads b.doc chromium.exe downloads malware.exe malware.exe reads /etc/passwd malware.exe sends /etc/passwd to ip X.X.X.X 165.10.0.1 165.10.0.1 10.0.0.2 X.X.X.X Chrome.exe Malware.exe a.ppt Malware.exe b.doc /etc/passwd CS 423: Operating Systems Design 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

One-on-One Interviews Training for SPF SIG coalitions Goals for today After today, you will

One-on-One Interviews Training for SPF SIG coalitions Goals for today After today, you will

Wilder Research One-on-One Interviews Training for SPF SIG coalitions Goals for today After today, you will understand The purpose of the One-on-Ones The One-on-One process The tools The ways to protect the privacy of

363 views • 19 slides
Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission & Goals History BOR adopted the

Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission & Goals History BOR adopted the

Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission & Goals History BOR adopted the mission and goals - June 2013 Mission & goals development included a wide array of stakeholders In addition to the CSCU Mission , each

314 views • 15 slides
Goals for Today Learning Objective: Discuss the ins and outs of MP4

Goals for Today Learning Objective: Discuss the ins and outs of MP4

Goals for Today Learning Objective: Discuss the ins and outs of MP4 Announcements, etc: MP4 is out! Due May 6th (UTC-11) Final Exam MAY 9TH @ 7PM, SIEBEL 1404 Its fine to use electronics today CS 423: Operating

922 views • 34 slides
Goals for Today Learning Objective: Define a taxonomy for virtualization architectures

Goals for Today Learning Objective: Define a taxonomy for virtualization architectures

Goals for Today Learning Objective: Define a taxonomy for virtualization architectures Announcements, etc: Informal Early Feedback at end of class today Midterm debrief forthcoming on Friday MP2 extension: now due on

726 views • 21 slides
Goals for Today Learning Objective: Learn how to achieve reliability + availability in

Goals for Today Learning Objective: Learn how to achieve reliability + availability in

Goals for Today Learning Objective: Learn how to achieve reliability + availability in storage!! Announcements, etc: MP3 is out! Due April 18th . MP3 Walkthrough on Monday, slides up later today Reminder : Please put away devices

909 views • 47 slides
Welcome Dan McAllister, Treasurer Tax-Collector 2 Agenda Goals for today Escheatment

Welcome Dan McAllister, Treasurer Tax-Collector 2 Agenda Goals for today Escheatment

2015 Annual Countywide Escheatment Kick-off Meeting Welcome Dan McAllister, Treasurer Tax-Collector 2 Agenda Goals for today Escheatment Overview 2014 Recap Policy and Procedure Summary 2015 Timeline Q&A 3 Goals

661 views • 17 slides
Goals for Today Learning Objective: Present final exam details + review content

Goals for Today Learning Objective: Present final exam details + review content

Goals for Today Learning Objective: Present final exam details + review content Announcements, etc: MP3 Soft Extension: Submit by TODAY for -10pts MP4 due May 7th Deadline provides more time than necessary; wanted to give you

648 views • 49 slides
Budget Recalibration Phase 2 Implementation Group Kickoff August 8, 2017 1 Agenda and Goals

Budget Recalibration Phase 2 Implementation Group Kickoff August 8, 2017 1 Agenda and Goals

Budget Recalibration Phase 2 Implementation Group Kickoff August 8, 2017 1 Agenda and Goals for Today 2 Agenda and Goals for today > Big Picture: Launch of 3-year Phase-in of Modified RCM Budget Model > Goals: Review Process to

502 views • 31 slides
Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some disk performance exercises Announcements, etc: C4: I removed 2 papers from your reading list No longer need to read Multics Security Eval

421 views • 27 slides
E Komo Mai We Will Be Talking About Your Marketing Goals and Tactics Today. As you get Settled,

E Komo Mai We Will Be Talking About Your Marketing Goals and Tactics Today. As you get Settled,

E Komo Mai We Will Be Talking About Your Marketing Goals and Tactics Today. As you get Settled, Please Take a Minute to Think about Examples You Can Share with the Group. Feel Free to Talk Amongst Yourselves... How to Write a Great Very

269 views • 13 slides
2/10/15 Today s goals Design Patterns What are Design Patterns? Announcements:

2/10/15 Today s goals Design Patterns What are Design Patterns? Announcements:

2/10/15 Today s goals Design Patterns What are Design Patterns? Announcements: Thank you for your Early Informal Feedback Composite, Visitor, HW3 Phase 2, peer reviews due this Thu at Template Method, Faade, 5pm

104 views • 8 slides
Goals for today Everything you wanted to know about C-strings (but were afraid to ask)

Goals for today Everything you wanted to know about C-strings (but were afraid to ask)

Goals for today Everything you wanted to know about C-strings (but were afraid to ask) Char/ascii String constants, string as abstraction (albeit a leaky one) C library functions <string.h> Under the hood: C-string as

331 views • 6 slides
OCLC Update So, what are our goals for today? Hear what OCLC is doing governance,

OCLC Update So, what are our goals for today? Hear what OCLC is doing governance,

OCLC Member Forums 2015 OCLC Update So, what are our goals for today? Hear what OCLC is doing governance, participation, products and services Talk to each other about what you are doing share best practices, tips and tricks

1.57k views • 102 slides
Marina Industry Our goal today Who we are What are our strategic goals Give you three

Marina Industry Our goal today Who we are What are our strategic goals Give you three

The Voice of the Marina Industry Our goal today Who we are What are our strategic goals Give you three reasons for joining AMIs affiliate program Answer your questions Who are we? Association of Marina Industries The

360 views • 17 slides
Outline for Today Course Overview Goals Administrative details CSE 143 Workload

Outline for Today Course Overview Goals Administrative details CSE 143 Workload

Outline for Today Course Overview Goals Administrative details CSE 143 Workload and grading Computer Programming II Resources Welcome! This information is largely included in todays handouts, Course Overview and

288 views • 7 slides
AMP Implementation Workshop 9-13-2013 Goal for today: Draft 3-5 goals that your department

AMP Implementation Workshop 9-13-2013 Goal for today: Draft 3-5 goals that your department

AMP Implementation Workshop 9-13-2013 Goal for today: Draft 3-5 goals that your department is going to focus on that link to the Academic Master Plan AMP connects to multiple items such as performance indicators, enrollment via

333 views • 6 slides
Modern Discrete Probability IV - Branching processes Review S ebastien Roch UWMadison

Modern Discrete Probability IV - Branching processes Review S ebastien Roch UWMadison

Basic definitions Extinction Random-walk representation Application: Bond percolation on Galton-Watson trees Modern Discrete Probability IV - Branching processes Review S ebastien Roch UWMadison Mathematics November 15, 2014 S

563 views • 40 slides
Gene-set analysis and data integra/on Leif Leif Vremo mo

Gene-set analysis and data integra/on Leif Leif Vremo mo

Gene-set analysis and data integra/on Leif Leif Vremo mo leif.varemo@scilifelab.se Bioinforma6cs Long-term Support (WABI) Systems Biology Facility @ Chalmers Outline Gene-set

419 views • 31 slides
Discrete Sampling using Semigradient-based Product Mixtures Alkis Gotovos Hamed Hassani Andreas

Discrete Sampling using Semigradient-based Product Mixtures Alkis Gotovos Hamed Hassani Andreas

Discrete Sampling using Semigradient-based Product Mixtures Alkis Gotovos Hamed Hassani Andreas Krause Stefanie Jegelka ETH Zurich UPenn ETH Zurich MIT UAI 2018 Modeling gene alterations [ cancergenome.nih.gov ] Discrete Sampling using

1.14k views • 68 slides
SWORD-1 and SWORD-2 Dolutegravir plus Rilpivirine as Maintenance Dual Therapy SWORD-1 and SWORD-2:

SWORD-1 and SWORD-2 Dolutegravir plus Rilpivirine as Maintenance Dual Therapy SWORD-1 and SWORD-2:

Dolutegravir plus Rilpivirine as Maintenance Dual Therapy SWORD-1 and SWORD-2 Dolutegravir plus Rilpivirine as Maintenance Dual Therapy SWORD-1 and SWORD-2: Design Early Switch Phase Late switch phase Study Design: SWORD-1 and Sword-2

333 views • 9 slides
An algorithmic approach to branching processes with countably infinitely many types Peter

An algorithmic approach to branching processes with countably infinitely many types Peter

An algorithmic approach to branching processes with countably infinitely many types Peter Braunsteins Supervisors: Sophie Hautphenne and Peter Taylor 29 June, 2016 1 Material of the talk The material of this talk is taken from S. Hautphenne,

947 views • 33 slides
Closing Thoughts (Gen 35) How would you characterize Isaacs life? Equal parts faith and

Closing Thoughts (Gen 35) How would you characterize Isaacs life? Equal parts faith and

Closing Thoughts (Gen 35) How would you characterize Isaacs life? Equal parts faith and failure Honored Gods will a willing sacrifice (Gen 22:6-9) Dishonored Gods will she is my sister (Gen 26:7); tried to anoint Ishmael (Gen

193 views • 18 slides
Tyshko, N.V.Z., V.M., Paschorina, V.A., Seljashkin, K.A., Saprykin, V.P., Utembaeva, N.T., &

Tyshko, N.V.Z., V.M., Paschorina, V.A., Seljashkin, K.A., Saprykin, V.P., Utembaeva, N.T., &

Tyshko, N.V.Z., V.M., Paschorina, V.A., Seljashkin, K.A., Saprykin, V.P., Utembaeva, N.T., & Tutelyan, V.A. (2011) Assessment of the impact of GMO of plant origin on rat progeny development in 3 generations. Problems of Nutrition, 80, 1, pp

299 views • 9 slides
T he L a nd Pro mise & Co ve na nt in De ute ro no my Charles Clough COVENANT =

T he L a nd Pro mise & Co ve na nt in De ute ro no my Charles Clough COVENANT =

T he L a nd Pro mise & Co ve na nt in De ute ro no my Charles Clough COVENANT = CONTRACT contract 2 IMPLICATIONS OF A CONTRACT FORMAT 1. God condescends to the creature level and enters into a personal relationship at that

430 views • 14 slides

More recommend