Check out the new USENIX Web site. next up previous
Next: 4 Performances and penetration Up: Piranha Audit: A Kernel Previous: 2 General overview

3 Piranha Audit details

Why would you want to meet the TCSEC requirements? An Audit/Logging file that respects TCSEC layout provides detailed informations as described above. Moreover Piranha Audit protects sensible data against deletion/modification at root level and phisycal disk management (fdisk, format, kernel image replacement, boot the system from floppy). To allow these operations and dumping the Piranha_Audit.log, it's needed Pirahna Manager operator.

He/she is a trusted person that knows the Piranha password that is needed to complete Piranha Audit management sessions.

Only he/she can change the Piranha password. We emphasize that just the root or just Piranha Manager cannot assolve these rules: the execution of any Piranha management session (needs root privileges) requires the Piranha password.

Table 1 shows the files used and kernel protected by Piranha Audit.




Table 1: Piranha Audit files.
Files Description
Piranha_Audit.log Contains all sensible data from Audit/Logging System
syslog.conf Configuration file for syslogd daemon
Piranha_FSCF_DB.md5 Collects MD5-fingerprint for critical file system objects
Piranha_SETUID-GID.db Maps all SETUID-GID root files
Piranha_MD5_Digest_Creator Utility that uses MD5 algorithm to create digital sign
Piranha_System_Shutdown Utility to shutdown the machine in critical events
Piranha_Password Contains the password for Piranha Manager operator


This high level of protection has been obtained by applying patches to 2.2.14 Linux Kernel shown in table 2, where PM stands for Piranha Manager and SU for Super User.




Table 2: Protection modes.
Protected Files Patched Files User Level SU Level SU+PM Level
Piranha_Audit.log namei.c, open.c -- r- rd-
syslog.conf namei.c, open.c -- r- rw-
Piranha_FSCF_DB.md5 name.c, open.c -- r- rw-
Piranha_SETUID-GID.db namei.c, open.c -- r- rw-
Piranha_MD5_Digest_Creator namei.c, open.c -- r- rx-
Piranha_System_Shutdown namei.c, open.c -- r- rx-
Piranha_Password namei.c, open.c -- r- rx-

r=read

d=dumping

x=execute


In ``namei.c'' and ``open.c'' we have also introduced a C routine that allows syslogd daemon to open Piranha_Audit.log in append only mode. The TCSEC layout is kept byinserting ``printk'' calls in ``namei.c'', ``open.c'', ``pipe.c'' in correct locations.

The ``exec.c'' has been patched to detect possible buffer exploit attacks. Suppose that a malicious user has exploited a setuid program. He/she produces ``a.out'' program that uses this bug to obtain root access. The program does its work and executes a root shell. Piranha Audit detects a particular situation: UID -> 500, GID -> 100, EUID -> 0, EGID -> 100. There is an anomaly: an inconsistence between UID and EUID; a kernel trap is executed. The user session will be terminated and the account will be locked.

The patched ``signal.c'' does not allow to kill the Piranha Guardian, detailed below in table 3 with a quick description of Intruder Detection Suite, where IDS stands for Intruder Detection System.




Table 3: IDS utilities.
Utility Quick description
Piranha_Account_Locker Locks an account after compromised events
Piranha_Intruder_Killer Terminates work session of a buffer exploit compromised user
Piranha_MD5_Digest_Creator Creates md5 finger-print
Piranha_PWD_Creator Sets the Piranha Manager Password
Piranha_SETUID-GID_Checker Controls every 60 minutes the root SETUID-GID map
Piranha_SETUID-GID_Init Initializes root SETUID-GID database file
Simple Watcher [9] Instructs Piranha about Alert Level reactions
Piranha_System_Shutdown Halts the machine in critical situation
Piranha_Dumper Allow under root+PM privileges file system management
Piranha_FSC Protects critical files against modification/trojan horse attacks
Piranha_FSC_Init Initializes the database with MD5 signs of critical files
Piranha_Guardian Controls that all IDS works correctly. It cannot be killed
Piranha_Init Script that coordinates the execution of IDS
Piranha_Overflow_Checker Checks for dimension overflow of Piranha_Audit.log
Piranha_PG_PID_Search Searches for suitable PID for Piranha_Guardian
Piranha_PID-UID_Finder Gets from PID its owner (UID)


The Simple Watcher utility allows an automatic log analysis detecting patterns that implies an anomaly status.

When it is detected, Simple Watcher sends an Alert Message to Piranha Audit subsystem that takes the least disruptive action to terminate the event.

It is possible to configure rensponses to certain auditable events and to make the PM protection of key files configurable setting the Simple Watcher config file.


next up previous
Next: 4 Performances and penetration Up: Piranha Audit: A Kernel Previous: 2 General overview
2000-08-07