audittool
Rationale
Root compromises are typically hard to trace due to the lack of auditing of
security domain transitions (setuid, retention of elevated uid, creation of
setuid programs, etc).
Method
audittool comes in three components:
- Kernel Patches
-
These patches add a new file system flag, PROTPROC. Similar to the system
immutable flag (SCHG), this prevents modification of a file in a >0
securelevel. However, it also has the following properties:
- May not be set in a high securelevel
- Processes created with exec from files with this flag set may not have
debugging (ptrace, ktrace, etc) attached to them; similarly, signal delivery
to the processes is restricted. This is indicated through the flag PROTPROC
added to the process structure.
This allows a user-level process to be protected from other user-level
processes.
- Loadable Kernel Module
-
This module attaches to auditing hooks in the kernel, and then adds a new
syscall interface to retrieve auditing event records. As a security
precaution (and implementation simplification), the module will only allow
one process at a time to attach to the event logging hooks, and that process
must have the PROTPROC flags set in its state.
- User-level Monitor Process
-
The user-level process attaches to the LKM auditing hooks, and then delivers
the event log (filtered as desired) to a log file in the file system. To
protect the process from interference in the event of a root compromise,
its binary should have the PROTPROC flag set at execution time. Additionally,
to protect log files and the binary, these files should be placed in an
immutable directory (preferable /audit so as not to require a whole tree to
be made immutable), and with append-only log files. These properties would
be enforced by existing securelevel behavior.