Why would you want to meet the TCSEC requirements? An Audit/Logging file that respects TCSEC layout provides detailed informations as described above. Moreover Piranha Audit protects sensible data against deletion/modification at root level and phisycal disk management (fdisk, format, kernel image replacement, boot the system from floppy). To allow these operations and dumping the Piranha_Audit.log, it's needed Pirahna Manager operator.
He/she is a trusted person that knows the Piranha password that is needed to complete Piranha Audit management sessions.
Only he/she can change the Piranha password. We emphasize that just the root or just Piranha Manager cannot assolve these rules: the execution of any Piranha management session (needs root privileges) requires the Piranha password.
Table 1 shows the files used and kernel protected by Piranha Audit.
| Files | Description |
|---|---|
| Piranha_Audit.log | Contains all sensible data from Audit/Logging System |
| syslog.conf | Configuration file for syslogd daemon |
| Piranha_FSCF_DB.md5 | Collects MD5-fingerprint for critical file system objects |
| Piranha_SETUID-GID.db | Maps all SETUID-GID root files |
| Piranha_MD5_Digest_Creator | Utility that uses MD5 algorithm to create digital sign |
| Piranha_System_Shutdown | Utility to shutdown the machine in critical events |
| Piranha_Password | Contains the password for Piranha Manager operator |
This high level of protection has been obtained by applying patches to 2.2.14 Linux Kernel shown in table 2, where PM stands for Piranha Manager and SU for Super User.
| Protected Files | Patched Files | User Level | SU Level | SU+PM Level |
|---|---|---|---|---|
| Piranha_Audit.log | namei.c, open.c | -- | r- | rd- |
| syslog.conf | namei.c, open.c | -- | r- | rw- |
| Piranha_FSCF_DB.md5 | name.c, open.c | -- | r- | rw- |
| Piranha_SETUID-GID.db | namei.c, open.c | -- | r- | rw- |
| Piranha_MD5_Digest_Creator | namei.c, open.c | -- | r- | rx- |
| Piranha_System_Shutdown | namei.c, open.c | -- | r- | rx- |
| Piranha_Password | namei.c, open.c | -- | r- | rx- |
r=read
d=dumping
x=execute
In ``namei.c'' and ``open.c'' we have also introduced a C routine that allows syslogd daemon to open Piranha_Audit.log in append only mode. The TCSEC layout is kept byinserting ``printk'' calls in ``namei.c'', ``open.c'', ``pipe.c'' in correct locations.
The ``exec.c'' has been patched to detect possible buffer exploit attacks. Suppose that a malicious user has exploited a setuid program. He/she produces ``a.out'' program that uses this bug to obtain root access. The program does its work and executes a root shell. Piranha Audit detects a particular situation: UID -> 500, GID -> 100, EUID -> 0, EGID -> 100. There is an anomaly: an inconsistence between UID and EUID; a kernel trap is executed. The user session will be terminated and the account will be locked.
The patched ``signal.c'' does not allow to kill the Piranha Guardian, detailed below in table 3 with a quick description of Intruder Detection Suite, where IDS stands for Intruder Detection System.
| Utility | Quick description |
|---|---|
| Piranha_Account_Locker | Locks an account after compromised events |
| Piranha_Intruder_Killer | Terminates work session of a buffer exploit compromised user |
| Piranha_MD5_Digest_Creator | Creates md5 finger-print |
| Piranha_PWD_Creator | Sets the Piranha Manager Password |
| Piranha_SETUID-GID_Checker | Controls every 60 minutes the root SETUID-GID map |
| Piranha_SETUID-GID_Init | Initializes root SETUID-GID database file |
| Simple Watcher [9] | Instructs Piranha about Alert Level reactions |
| Piranha_System_Shutdown | Halts the machine in critical situation |
| Piranha_Dumper | Allow under root+PM privileges file system management |
| Piranha_FSC | Protects critical files against modification/trojan horse attacks |
| Piranha_FSC_Init | Initializes the database with MD5 signs of critical files |
| Piranha_Guardian | Controls that all IDS works correctly. It cannot be killed |
| Piranha_Init | Script that coordinates the execution of IDS |
| Piranha_Overflow_Checker | Checks for dimension overflow of Piranha_Audit.log |
| Piranha_PG_PID_Search | Searches for suitable PID for Piranha_Guardian |
| Piranha_PID-UID_Finder | Gets from PID its owner (UID) |
When it is detected, Simple Watcher sends an Alert Message to Piranha Audit subsystem that takes the least disruptive action to terminate the event.
It is possible to configure rensponses to certain auditable events and to make the PM protection of key files configurable setting the Simple Watcher config file.