topic Re: trusted system auditlogs in Operating System - HP-UX

trusted system auditlogs

Ng Kim Meng — Tue, 15 Mar 2005 03:35:32 GMT

Hi,

after converting to trusted system and turning on auditing, the audit logs have been capturing whatever has been defined to be audited accordingly.

By default, the audit log has permission as shown below, with read/write permssion soley to root owner.

-rw------- 1 root sys 1101171 Mar 15 16:23 audfile1

However, now my external auditor is insisting that root owner must not have write access to the audit logs

But I don't see how that is possible !

I like to find out if that is a reasonable demand by my external auditor ?

And if it's reasonable, how can I achieve that ? Through a 3rd party s/w ???

Really appreciate any feedback and advise.

Re: trusted system auditlogs

Joseph Loo — Tue, 15 Mar 2005 03:45:34 GMT

hi,

i see, those auditors again.

i presume they would think u r going to make changes to that file. but audfile1 is not a ascii type but a data file. u may like to show or prove to them by doing the file command, i.e.:

# file audfile1

unless after running audisp command to display and output the content of that file, u amend the generated output.

regards.

Re: trusted system auditlogs

Ng Kim Meng — Tue, 15 Mar 2005 04:02:42 GMT

Hi Joseph,

thank for your feedback.

I already explained to the auditor on this and even did a cat on the auditlog to show them its garbage and cannot simply vi to change it.

But he insisted that as long as the auditlog is writable, a technically competant person with root access can perhaps used other tools to modify the content and write it back. Or even if cannot, can simply delete the entire auditlog for cover up.

Re: trusted system auditlogs

Keith Buck — Wed, 16 Mar 2005 11:28:51 GMT

The only ways I can think of to deal with this are to

A. copy the audit logs off-host (which I would recommend) or

B. get a B-level certified operating system (which can be a pain to administer).

Trusted HP-UX is approximately C2 level (was certified back in the 10.x days I think) which means that root is still all-powerful.

chmod -w audfile1

will not change the fact that root has write access to the file, because root can easily

chmod +w audfile1

for example. If you made the file owned by someone other than root so root can't chmod it, root can still chown the file back to himself. You can see this is starting to get a bit silly...

Option A actually accomplishes something as long as root on the local host doesn't also have access to the remote host. Note that root on the remote host can still muck with the logs. Some ways to deal with that are to cryptographically sign the logs or print them on paper or other write-only media.

Hope that helps.

-Keith