4 Performances and penetration testing

Examples 1, 2, 3, 4 and 5 show the behavior of Piranha Audit in some cases of intrusions attempts.

Example 1: Gaining a root shell.

• Jul  9 10:07:32 SecureHost kernel: Piranha Audit: Warning: the object /bin/su, executed by UID: 500, GID: 100 is set-uid!
• Jul  9 10:07:33 SecureHost su[3196]: + tty3 emilio-root

Example 2: Attempt to remove Audit/Logging archive.

• Jul  9 10:07:46 SecureHost kernel: Piranha Audit: Object delete command issued from UID 0, GID 0, object name: Piranha_Audit.log.
• Jul  9 10:07:46 SecureHost kernel: Piranha Audit: Owner of object is: UID 0, GID 0.
• Jul  9 10:07:46 SecureHost kernel: Piranha Audit: Object i-node mode is: 33188.
• Jul  9 10:07:46 SecureHost kernel: Piranha Audit: Unauthorized access (delete command) to security event file from UID: 0 GID: 0 detected.

Example 3: Attempts to delete/link/overwrite Piranha_Audit.log.

• Jul  9 10:08:59 SecureHost kernel: Piranha Audit: Read access of security event file detected from UID: 0 GID: 0.
• Jul  9 11:16:42 SecureHost kernel: Piranha Audit: Hard link not allowed for security event file from UID: 0 GID: 0.
• Jul  9 11:17:04 SecureHost kernel: Piranha Audit: Unauthorized or incorrect use of security event file detected from UID: 0 GID 0.
• Jul  9 11:18:14 SecureHost kernel: Piranha Audit: Unauthorized or incorrect use of security event file detected from UID: 0 GID: 0.
• Jul  9 11:18:36 SecureHost kernel: Piranha Audit: Unauthorized or incorrect use of security event file detected from UID: 0 GID 0.
• Jul  9 11:18:55 SecureHost kernel: Piranha Audit: Attempt to create confusion with special object (mknod system call) and protected Piranha Audit files detected from UID 0, GID 0.

Example 4: Fdisk attempt.

• Jul  9 11:23:45 SecureHost kernel: Piranha Audit: (ALERT LEVEL 3) Attempt of disk management without correct security procedure detected from UID: 0 GID: 0.

Example 5: Satisfying TCSEC layout.

• Jul 12 15:41:30 SecureHost kernel: Piranha Audit: Object introduction detected from UID 500, GID 100, object name is: trial.
• Jul 12 15:41:30 SecureHost kernel: Piranha Audit: Owner of object is: UID 500, GID 100.
• Jul 12 15:41:35 SecureHost kernel: Piranha Audit: Object delete command issued from UID 500, GID 100, object name: trial.
• Jul 12 15:41:35 SecureHost kernel: Piranha Audit: Owner of object is: UID 500, GID 100.
• Jul 12 15:41:35 SecureHost kernel: Piranha Audit: Object i-node mode is: 33188.
• Jul 12 15:42:42 SecureHost kernel: Piranha Audit: Special object introduction (mknod system call) detected from UID 500, GID 100, object name is: pipe.
• Jul 12 15:42:42 SecureHost kernel: Piranha Audit: Device number of object is: 0.
• Jul 12 15:42:42 SecureHost kernel: Piranha Audit: Object i-node mode is: 33261.

Below we show the Piranha Audit System behavior to underline the performances under different conditions.

Table 4: Main memory details (in bytes).

Total	Used	Free	Shared	Buffers	Cached
64716800	63213568	1503232	24977408	1347584	41750528

Table 5: CPU Info.

processor	0
vendor_id	GenuineIntel
cpu family	586
model	2
model name	Pentium MMX
stepping	3
cpu MHz	200.457340
fdiv_bug	no
hlt_bug	no
sep_bug	no
f00f_bug	yes
coma_bug	no
fpu	yes
fpu_exception	yes
cpuid level	1
wp	yes
flags	fpu vme de pse tsc msr mce cx8
bogomips	80.08

Table 6: Stress Testing.

CPU Stress Test	PASSED
Disk Stress Test	PASSED
CPU+Disk Stress Test	PASSED

CPU STATES: 62 processes: 48 sleeping, 14 running, 0 zombie, 0 stopped 98.2% user, 1.7% system, 0.0% nice, 0.0% idle

DISK USE: dd if=/dev/zero of=trial count=400000

PASSED means that Piranha Audit System behavior is correct how in no stress situation.