Auditing File Changes
Stephen John Smoogen
smooge at gmail.com
Tue Jul 11 12:56:28 UTC 2006
On 7/10/06, eklinger at uci.edu <eklinger at uci.edu> wrote:
> > Maybe it's the way you've described it, but this sounds like a very
> > contrived and fickle security mechanism. I really don't understand the
> > purpose of your encryption, can you elaborate any? Maybe I'm just
> > confused with the example you gave. Further more, if you want to
> > restrict operations on a given a file, why reinvent the wheel, it's
> > already doable. Also, the audit subsystem does log events describing
> > "copy" events, renames, linking, unlinking, open's, close's, file
> > attribute modifications, etc, without the need for modifying specific
> > programs. Decompose the "abstract" event of cut and paste into its
> > system-calls and there you go.
> >
> The original idea was to prevent the user from opening the file in any
> text or hex editor and changing the file or the file's allowed operations,
> which would be stored in the file itself. However, if we can capture the
> open call we may not need the the encryption afterall. All of this is just
> a proof of concept. It will need to be refined much more before we do the
> actual implementation, which is why I'm here to get these comments and
> ideas from the community. :) We do not want to reinvent the wheel but the
> permissions need to go beyond the basic read-write-exec since engineers
> will need to modify the source code files but we may not want them to copy
> them to a usb drive or email them, and we want the permissions to be in
> place across platforms.
>
Well a lot of things I think you need are not in place yet (MLS/MCS X
server, and some other parts (webcam audit :)))
If you need a solution now then you need to go to the standard
physical beats technical listings:
1) Dont put the boxes on the internet. If they need internet access it
is done via a two system enclave and/or a one way transfer of data via
diode.
2) KVM with a trusted KVM system and put the CPU/hard-disks in a
controlled vault type enviroment. If a system has to be in the
physical control of the engineer then epoxy any port that isnt in use
(USB, Firewire) and physically tie down the keyboard/mouse etc to the
box.
3) Design processes for handling data between enclaves, handling data,
how to handle removable media, etc.
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the Linux-audit
mailing list