Difference between revisions of "Projects/Audit"
Line 3: | Line 3: | ||
== Purpose == |
== Purpose == |
||
− | + | Create an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. Identify the initial set of the audible events. |
|
+ | |||
+ | Potentially expand Kerberos Audit facility to the application servers, kadmin if it remains desirable. |
||
+ | |||
== Requirements == |
== Requirements == |
||
Line 12: | Line 12: | ||
* run-time pluggable; |
* run-time pluggable; |
||
* simple, so it could be easily replaced with the OS specific implementations; |
* simple, so it could be easily replaced with the OS specific implementations; |
||
− | * if possible, prepare i18n- and l10n-ready log messages. |
||
Line 21: | Line 20: | ||
;Audit module loaded/unloaded: Startup and shutdown of the audit system must be recorded by audit system; |
;Audit module loaded/unloaded: Startup and shutdown of the audit system must be recorded by audit system; |
||
; KDC started/stopped |
; KDC started/stopped |
||
− | :KDC start-up |
+ | :KDC start-up basic information: List of KDC realms and corresponding ports on which the Kerberos server should listen for UDP and TCP requests; allowable amount of clockskew in seconds; location and names of the plugins; indicator whether weak encryption types are allowed; |
:KDC stopped - no additional information; |
:KDC stopped - no additional information; |
||
;AS exchange: |
;AS exchange: |
||
− | :Basic information: client principal name; requested service name |
+ | :Basic information: client principal name; requested service name; remote port; selected keytype for the ticket session key; KDC status message; |
− | On success: tgt_id; returned ticket start, end and renew until times |
+ | :On success: tgt_id; returned ticket start, end and renew until times; ticket flags; |
;TGS exchange: |
;TGS exchange: |
||
:TGS |
:TGS |
||
− | ::Basic information: tgt_id |
+ | ::Basic information: tgt_id; client principal name; requested service name; remote port; authtime timestamp; selected keytype for the ticket session key; KDC status message; if the request is for referral ticket indicate to which server; |
− | ::On success: returned ticket start, end and renew until times |
+ | ::On success: returned ticket start, end and renew until times; ticket flags; if the request was to renew ticket – indicate that ticket was renewed; |
− | : |
+ | :Alternate |
− | ::Basic information: tgt_id |
+ | ::Basic information: tgt_id; client principal name; requested service name; authtime timestamp; KDC status message; |
::On success: alternate TGT |
::On success: alternate TGT |
||
− | :Cross-realm |
+ | :Cross-realm |
− | ::Basic information: tgt_id |
+ | ::Basic information: tgt_id; client principal name; requested service name, remote port; authtime timestamp; KDC status message; |
− | ::On success: cross-realm |
+ | ::On success: cross-realm TGT |
− | :U2U |
+ | :U2U |
− | :: |
+ | ::Basic information: tgt_id; client principal name; requested service name; authtime timestamp; KDC status message; |
+ | ::On success: second ticket client and server name |
||
:S4U extensions |
:S4U extensions |
||
− | ::Basic information: tgt_id |
+ | ::Basic information: tgt_id; client principal name; requested service name; authtime timestamp; s4u extention type; KDC status message; |
::On success: s4u client name |
::On success: s4u client name |
||
;Session keys: |
;Session keys: |
||
− | : AS and TGS exchange: tgt_id |
+ | : AS and TGS exchange: tgt_id; client principal name; requested service name, remote port; authtime timestamp; keytype list in request and selected keytype for the ticket session key; |
− | : AS and TGS exchange: tgt_id |
+ | : AS and TGS exchange: tgt_id; session key cleaning; |
;Policy: Policies violation when processing requests - TBD; |
;Policy: Policies violation when processing requests - TBD; |
||
− | :AS request |
+ | ::AS request |
− | :TGS request |
+ | ::TGS request |
− | :S4U2PROXY request |
+ | ::S4U2PROXY request |
== Design details == |
== Design details == |
||
⚫ | |||
+ | |||
⚫ | |||
⚫ | |||
⚫ | |||
=== KDC facing API === |
=== KDC facing API === |
||
Line 66: | Line 70: | ||
kau_kdc_stop(krb5_context context, krb5_error_code status); |
kau_kdc_stop(krb5_context context, krb5_error_code status); |
||
− | /* AS exchange: Successful or unsuccessful attempt */ |
+ | /* AS exchange: Successful (status=1) or unsuccessful (status=0) attempt */ |
krb5_error_code |
krb5_error_code |
||
kau_as_req(krb5_context context, struct as_req_state *state, int status); |
kau_as_req(krb5_context context, struct as_req_state *state, int status); |
||
− | /* TGS exchange: Successful or unsuccessful attempt; |
+ | /* TGS exchange: Successful (status=1) or unsuccessful (status=0) attempt; alternate, u2u, s4u and cross-realm TGS */ |
krb5_error_code |
krb5_error_code |
||
kau_tgs(krb5_context context, |
kau_tgs(krb5_context context, |
||
Line 82: | Line 86: | ||
krb5_error_code |
krb5_error_code |
||
kau_tgs_s4u(krb5_context context, struct tgs_req_audit_state *state, |
kau_tgs_s4u(krb5_context context, struct tgs_req_audit_state *state, |
||
− | krb5_error_code status); |
+ | krb5_error_code status); |
krb5_error_code |
krb5_error_code |
||
kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state, |
kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state, |
||
char* xrealm, int status); |
char* xrealm, int status); |
||
− | /* Session key generation and cleaning |
+ | /* Session key generation and cleaning up */ |
krb5_error_code |
krb5_error_code |
||
kau_sesskey_as_generated(krb5_context context, |
kau_sesskey_as_generated(krb5_context context, |
||
Line 104: | Line 108: | ||
krb5_error_code |
krb5_error_code |
||
kau_policy_as_req(krb5_context context, struct as_req_state *state, |
kau_policy_as_req(krb5_context context, struct as_req_state *state, |
||
− | krb5_error_code status); |
+ | krb5_error_code status); |
krb5_error_code |
krb5_error_code |
||
kau_policy_s4u2proxy_req(krb5_context context, struct tgs_req_audit_state *state, |
kau_policy_s4u2proxy_req(krb5_context context, struct tgs_req_audit_state *state, |
||
− | krb5_db_entry *st_client, krb5_error_code status); |
+ | krb5_db_entry *st_client, krb5_error_code status); |
krb5_error_code |
krb5_error_code |
||
kau_policy_tgs_req(krb5_context context, struct tgs_req_audit_state *state, |
kau_policy_tgs_req(krb5_context context, struct tgs_req_audit_state *state, |
||
− | krb5_ticket *header_ticket, krb5_error_code status); |
+ | krb5_ticket *header_ticket, krb5_error_code status); |
/* Name of audit module */ |
/* Name of audit module */ |
||
Line 163: | Line 167: | ||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | krb5_deltat clockskew, const char *realm_port, |
+ | krb5_deltat clockskew, const char *realm_port, |
− | krb5_boolean allow_weak_crypto, |
+ | krb5_boolean allow_weak_crypto, |
− | const char *plugins, const char *plugin_dir, int status); |
+ | const char *plugins, const char *plugin_dir, int status); |
typedef krb5_error_code |
typedef krb5_error_code |
||
Line 172: | Line 176: | ||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | + | const char *cname, const char *sname, |
|
− | + | const int from_port, krb5_enctype sesskey_etype, |
|
− | + | krb5_flags tkt_flags, const char *tkt_cname, |
|
− | + | krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, krb5_deltat tkt_renew_till, |
|
− | + | const char *kdc_status, int status); |
|
typedef krb5_error_code |
typedef krb5_error_code |
||
Line 197: | Line 201: | ||
(*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx, |
||
krb5_timestamp authtime, |
krb5_timestamp authtime, |
||
− | const char *cname, const char *sname |
+ | const char *cname, const char *sname, |
+ | const char *cl2, const char *srv2, |
||
const int from_port, const char *kdc_status, int status); |
const int from_port, const char *kdc_status, int status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_tgs_s4u_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_tgs_s4u_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 217: | Line 221: | ||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | const char *cname, const char *sname, |
+ | const char *cname, const char *sname, |
− | const int from_port, |
+ | const int from_port, |
− | const char * ktypes, krb5_enctype used_ktype, |
+ | const char * ktypes, krb5_enctype used_ktype, |
− | const char *kdc_status, int status); |
+ | const char *kdc_status, int status); |
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | const char *cname, const char *sname, |
+ | const char *cname, const char *sname, |
− | const int from_port, krb5_enctype used_ktype, |
+ | const int from_port, krb5_enctype used_ktype, |
− | const char *kdc_status, int status); |
+ | const char *kdc_status, int status); |
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | const char *cname, const char *sname, |
+ | const char *cname, const char *sname, |
− | const int from_port, |
+ | const int from_port, |
− | const char *ktypes, krb5_enctype used_ktype, |
+ | const char *ktypes, krb5_enctype used_ktype, |
− | const char *kdc_status, int status); |
+ | const char *kdc_status, int status); |
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | const char *cname, const char *sname, |
+ | const char *cname, const char *sname, |
− | const int from_port, krb5_enctype used_ktype, |
+ | const int from_port, krb5_enctype used_ktype, |
− | const char *kdc_status, int status); |
+ | const char *kdc_status, int status); |
− | + | == Configuration == |
|
The following ./configure option to be added: |
The following ./configure option to be added: |
||
Line 248: | Line 252: | ||
;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin. |
;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin. |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
== Test implementation == |
== Test implementation == |
||
Revision as of 15:17, 2 November 2012
Contents
Purpose
Create an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. Identify the initial set of the audible events.
Potentially expand Kerberos Audit facility to the application servers, kadmin if it remains desirable.
Requirements
The new audit system should be:
- build-time enabled;
- run-time pluggable;
- simple, so it could be easily replaced with the OS specific implementations;
Events
This section details the categories of the auditable events and the associated information.
- Audit module loaded/unloaded
- Startup and shutdown of the audit system must be recorded by audit system;
- KDC started/stopped
- KDC start-up basic information: List of KDC realms and corresponding ports on which the Kerberos server should listen for UDP and TCP requests; allowable amount of clockskew in seconds; location and names of the plugins; indicator whether weak encryption types are allowed;
- KDC stopped - no additional information;
- AS exchange
- Basic information: client principal name; requested service name; remote port; selected keytype for the ticket session key; KDC status message;
- On success: tgt_id; returned ticket start, end and renew until times; ticket flags;
- TGS exchange
- TGS
- Basic information: tgt_id; client principal name; requested service name; remote port; authtime timestamp; selected keytype for the ticket session key; KDC status message; if the request is for referral ticket indicate to which server;
- On success: returned ticket start, end and renew until times; ticket flags; if the request was to renew ticket – indicate that ticket was renewed;
- Alternate
- Basic information: tgt_id; client principal name; requested service name; authtime timestamp; KDC status message;
- On success: alternate TGT
- Cross-realm
- Basic information: tgt_id; client principal name; requested service name, remote port; authtime timestamp; KDC status message;
- On success: cross-realm TGT
- U2U
- Basic information: tgt_id; client principal name; requested service name; authtime timestamp; KDC status message;
- On success: second ticket client and server name
- S4U extensions
- Basic information: tgt_id; client principal name; requested service name; authtime timestamp; s4u extention type; KDC status message;
- On success: s4u client name
- Session keys
- AS and TGS exchange: tgt_id; client principal name; requested service name, remote port; authtime timestamp; keytype list in request and selected keytype for the ticket session key;
- AS and TGS exchange: tgt_id; session key cleaning;
- Policy
- Policies violation when processing requests - TBD;
- AS request
- TGS request
- S4U2PROXY request
Design details
Ticket ID
We need to introduce the concept of ticket ID tgt_id (perhaps, session key hash) that would allow to link tickets with the initial TGT. TODO.
KDC facing API
/* Audit plugin loaded/unloaded */ krb5_error_code load_audit_plugin(krb5_context context); krb5_error_code unload_audit_plugin(krb5_context context);
/* KDC started /stopped */ krb5_error_code kau_kdc_start(krb5_context context, int status); krb5_error_code kau_kdc_stop(krb5_context context, krb5_error_code status);
/* AS exchange: Successful (status=1) or unsuccessful (status=0) attempt */ krb5_error_code kau_as_req(krb5_context context, struct as_req_state *state, int status);
/* TGS exchange: Successful (status=1) or unsuccessful (status=0) attempt; alternate, u2u, s4u and cross-realm TGS */ krb5_error_code kau_tgs(krb5_context context, struct tgs_req_audit_state *state, int status); krb5_error_code kau_tgs_alt(krb5_context context, struct tgs_req_audit_state *state, int status); krb5_error_code kau_tgs_u2u(krb5_context context, struct tgs_req_audit_state *state, krb5_principal cl2, int status); krb5_error_code kau_tgs_s4u(krb5_context context, struct tgs_req_audit_state *state, krb5_error_code status); krb5_error_code kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state, char* xrealm, int status);
/* Session key generation and cleaning up */ krb5_error_code kau_sesskey_as_generated(krb5_context context, struct as_req_state *state, int status); krb5_error_code kau_sesskey_as_cleared(krb5_context context, struct as_req_state *state, int status); krb5_error_code kau_sesskey_tgs_generated(krb5_context context, struct tgs_req_audit_state *state,int status); krb5_error_code kau_sesskey_tgs_cleared(krb5_context context, struct tgs_req_audit_state *state, int status);
/* Policy driven events - TBD */ krb5_error_code kau_policy_as_req(krb5_context context, struct as_req_state *state, krb5_error_code status); krb5_error_code kau_policy_s4u2proxy_req(krb5_context context, struct tgs_req_audit_state *state, krb5_db_entry *st_client, krb5_error_code status); krb5_error_code kau_policy_tgs_req(krb5_context context, struct tgs_req_audit_state *state, krb5_ticket *header_ticket, krb5_error_code status);
/* Name of audit module */ krb5_error_code kau_plugin_name(krb5_context context, char **name);
struct tgs_req_audit_state { krb5_kdc_req *request; krb5_timestamp authtime; char *sname, *cname,*s4u_name, *u2ucname; krb5_principal altprinc; char *xrealm; const krb5_fulladdr *from; unsigned int c_flags; const char *status; /* KDC status message */ krb5_enctype useenctype; krb5_boolean tkt_renewed; krb5_boolean is_referral; };
Pluggable interface
/* Audit plugin vtable */ typedef struct krb5_audit_vtable_st { /* Mandatory: name of module. */ char *name; kau_open_fn open; kau_close_fn close; kau_kdc_start_fn kdc_start; kau_kdc_stop_fn kdc_stop; kau_as_req_fn as_req; kau_tgs_fn tgs; kau_tgs_alt_fn tgs_alt; kau_tgs_u2u_fn tgs_u2u; kau_tgs_s4u_fn tgs_s4u; kau_tgs_xrealm_fn tgs_xrealm; kau_sesskey_as_generated_fn sesskey_as_generated; kau_sesskey_as_cleared_fn sesskey_as_cleared; kau_sesskey_tgs_generated_fn sesskey_tgs_generated; kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared; kau_policy_as_req_fn policy_as_req; kau_policy_tgs_req_fn policy_tgs_req; kau_policy_s4u2proxy_req_fn policy_s4u2proxy_req; } *krb5_audit_vtable; typedef krb5_error_code (*kau_open_fn)(krb5_context context , kau_ctx *au_ctx); typedef krb5_error_code (*kau_close_fn)(krb5_context context, kau_ctx au_ctx); typedef krb5_error_code (*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, krb5_deltat clockskew, const char *realm_port, krb5_boolean allow_weak_crypto, const char *plugins, const char *plugin_dir, int status); typedef krb5_error_code (*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status); typedef krb5_error_code (*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const int from_port, krb5_enctype sesskey_etype, krb5_flags tkt_flags, const char *tkt_cname, krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, krb5_deltat tkt_renew_till, const char *kdc_status, int status); typedef krb5_error_code (*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, const char *cname, const char *sname, const int from_port, krb5_enctype session_key_etype, const int is_referral, const int tkt_renewed, krb5_flags tkt_flags, krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, krb5_deltat tkt_renew_till, const char *kdc_status, int status); typedef krb5_error_code (*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, const char *cname, const char *sname, const char *altsrv, const int from_port, const char *kdc_status, int status); typedef krb5_error_code (*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, const char *cname, const char *sname, const char *cl2, const char *srv2, const int from_port, const char *kdc_status, int status); typedef krb5_error_code (*kau_tgs_s4u_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, const char *cname, const char *sname, const char * s4u_type, const char * s4u_name, const int from_port, const char *kdc_status, int status); typedef krb5_error_code (*kau_tgs_xrealm_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, const char *cname, const char *sname, const char *xrealm, krb5_flags c_flags, krb5_flags s_flags, const int from_port, const char *kdc_status, int status); typedef krb5_error_code (*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const int from_port, const char * ktypes, krb5_enctype used_ktype, const char *kdc_status, int status); typedef krb5_error_code (*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const int from_port, krb5_enctype used_ktype, const char *kdc_status, int status); typedef krb5_error_code (*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const int from_port, const char *ktypes, krb5_enctype used_ktype, const char *kdc_status, int status); typedef krb5_error_code (*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const int from_port, krb5_enctype used_ktype, const char *kdc_status, int status);
Configuration
The following ./configure option to be added:
- --with-audit-plugin=simple
- (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.
Test implementation
We will use libaudit module available on Fedora, Debian, Suse for the first round.
Some "simple" audit plugin will be implemented and Python test system will become aware of its existence. New ./configure --with-audit-plugin option will be introduced to build "simple" audit plugin for testing purpose. If audit is enabled and audit plugin is available, "make check" will store audit messages into audit log file.
References
- Common Criteria for Information Technology Security Evaluation http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf
- Oracle Solaris Auditing http://docs.oracle.com/cd/E19963-01/html/821-1456/auditov-1.html
- Understanding Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html
- Advanced Security Audit Policy Settings http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx
- Events Classification in Log Audit http://airccse.org/journal/nsa/0410ijnsa5.pdf