安全审计子系统的研究和实现
摘要
安全操作系统的研究与开发已走过了三十多年的历程,取得了大量的关于安全模型、访问控制、身份认证等方面的成果,极大地提高了操作系统的安全保障能力。作为安全机制的一个部分,安全审计是安全操作系统中非常重要的内容,它对系统所发生的事件进行记录,为事故原因的查询、定位,事故发生前的预测报警以及事故发生后的实时处理提供详细可靠的依据或支持。
但是现有的审计技术仍存在诸多不足。在主流的UNIX操作系统上实现的审计系统包括日志和记帐系统,这些用户态审计系统并不符合当前安全审计的要求,存在着审计粒度较粗,缺乏对系统调用的审计,不能实时记录等缺点。于是近年来研究者提出内核审计的方案,并开发出基于类UNIX内核的内核审计框架工具。但是由于传统类UNIX操作系统存在致命的缺陷——没有实现审计管理员的分权,导致审计配置数据和审计日志容易被破坏,而且这种审计框架的工作机制会急剧降低系统的性能。为了克服上述缺陷,满足Kylin安全操作系统的安全审计要求,必须从整体上设计安全框架并使审计子系统完全融入其中。
本文在已有研究的基础上,提出了基于主机的Kylin内核审计框架。其基本思想是在增加强制访问控制、三权分立功能(将原有的超级用户权限细化并分配给系统管理员、系统安全管理员和系统审计员)的基础上设计并实现了审计子系统,将审计系统内核化,并结合基于TE(Type Enforcement)的访问控制策略,保护审计配置和审计日志。
本系统的设计原则和具体实现方法是把内核审计线程与内核审计模块相结合,由内核审计模块负责收集系统调用的相关信息,而由审计线程把审计记录写入磁盘。该机制能够审计所有与安全相关的事件,包括:用户登录,文件打开,程序执行,文件属性改变,客体删除,安全管理员和系统管理员的操作,所以本系统能为用户提供精确事件信息,并且不改变Kylin操作系统本身内核数据结构,可以独立升级和维护。而且该系统能够利用友好清晰的图形方式分析审计数据,并在XML文件的基础上实现核内外统一配置接口,达到类似Windows注册表函数接口的功能,能够灵活配置需要审计的事件。最后本系统通过性能评测,在高负载、全审计的情况下,只有5%—10%左右的性能开销,证明内核审计运行开销较小,对系统性能的影响不大。
The research and development of secure operating systems have a history of more than 30 years, and acquire great achievement on security model, access control and identity authentication etc. All those have extraordinarily enhanced the security of operating systems. As a part of the security mechanism, audit is a very important content in secure operating system, it provides the particular and reliable support for the recording the event of system, locating and querying the causation for the accidents, predicting before the occurrence of accidents and real-time process after occurrence of accident.
However, there are a good many deficiencies in the technology of audit at now. For example, there are some audit systems such as the system of logging and accounting in the main stream UNIX operating system., these user-model audit system don't accord with the requires of security of the time. There are some deficiencies in these systems such as the coarser granularity, can not audit the system calls, can not real-time audit. So some researchers have proposed the schema of kernel audit and developed UNIX kernel-based architecture audit tools recent years. Butbecause the traditional UNIX operating systems have a fatal deficiency--it dosenot implement the independence of audit-administrator, that results in the configuration data and log data of audit will be crash easily. In additional, the mechanism of this audit will worsen the system performance. To get over these deficiencies and meet the require of security audit Kylin operating system, we must design the security architecture from the view of whole and embed the audit system into the architecture allover.
This paper proposes the host-based Kylin audit framework on the basis of the research archived. The basic idea is design and implement the audit subsystem on the basis of that add the Mandatory Access Control、separated of three privilege(fined the root privilege to system-administrator security-administrator、audit-administrator), and move the audit system to kernel, and combine the Access Control Policy on the basis TE(Type Enforcement) to protect audit configuration and log data.
The design principle and concrete implement of this system is combine kernel audit thread with kernel audit module, the responsibility of kernel audit module is to collect the information about system calls, the responsibility of kernel thread is to write audit data to disk file. This mechanism can audit all of the event relative security, for example: user login, file opened, program executed, file attributes changed, the operation of security and audit administrator, so the audit system can provide the precision information of event for user, and it don't changed the kernel data structure of Kylin operating system. And the audit system can update and maintain all alone. Moreover it can make use of the friendly graphic tools to analysis audit data, and implement uniform interfaces in the kernel and user space on the basis of XML files, these interfaces attain the function similar to Windows Registry, so we can configure the event of require to audit. At last, the system passes the performance test, it has only 5-10% spending under the situation of high load and all audit. This result can prove that this audit system has low spending when running and it has little effect on performance.
但是现有的审计技术仍存在诸多不足。在主流的UNIX操作系统上实现的审计系统包括日志和记帐系统,这些用户态审计系统并不符合当前安全审计的要求,存在着审计粒度较粗,缺乏对系统调用的审计,不能实时记录等缺点。于是近年来研究者提出内核审计的方案,并开发出基于类UNIX内核的内核审计框架工具。但是由于传统类UNIX操作系统存在致命的缺陷——没有实现审计管理员的分权,导致审计配置数据和审计日志容易被破坏,而且这种审计框架的工作机制会急剧降低系统的性能。为了克服上述缺陷,满足Kylin安全操作系统的安全审计要求,必须从整体上设计安全框架并使审计子系统完全融入其中。
本文在已有研究的基础上,提出了基于主机的Kylin内核审计框架。其基本思想是在增加强制访问控制、三权分立功能(将原有的超级用户权限细化并分配给系统管理员、系统安全管理员和系统审计员)的基础上设计并实现了审计子系统,将审计系统内核化,并结合基于TE(Type Enforcement)的访问控制策略,保护审计配置和审计日志。
本系统的设计原则和具体实现方法是把内核审计线程与内核审计模块相结合,由内核审计模块负责收集系统调用的相关信息,而由审计线程把审计记录写入磁盘。该机制能够审计所有与安全相关的事件,包括:用户登录,文件打开,程序执行,文件属性改变,客体删除,安全管理员和系统管理员的操作,所以本系统能为用户提供精确事件信息,并且不改变Kylin操作系统本身内核数据结构,可以独立升级和维护。而且该系统能够利用友好清晰的图形方式分析审计数据,并在XML文件的基础上实现核内外统一配置接口,达到类似Windows注册表函数接口的功能,能够灵活配置需要审计的事件。最后本系统通过性能评测,在高负载、全审计的情况下,只有5%—10%左右的性能开销,证明内核审计运行开销较小,对系统性能的影响不大。
The research and development of secure operating systems have a history of more than 30 years, and acquire great achievement on security model, access control and identity authentication etc. All those have extraordinarily enhanced the security of operating systems. As a part of the security mechanism, audit is a very important content in secure operating system, it provides the particular and reliable support for the recording the event of system, locating and querying the causation for the accidents, predicting before the occurrence of accidents and real-time process after occurrence of accident.
However, there are a good many deficiencies in the technology of audit at now. For example, there are some audit systems such as the system of logging and accounting in the main stream UNIX operating system., these user-model audit system don't accord with the requires of security of the time. There are some deficiencies in these systems such as the coarser granularity, can not audit the system calls, can not real-time audit. So some researchers have proposed the schema of kernel audit and developed UNIX kernel-based architecture audit tools recent years. Butbecause the traditional UNIX operating systems have a fatal deficiency--it dosenot implement the independence of audit-administrator, that results in the configuration data and log data of audit will be crash easily. In additional, the mechanism of this audit will worsen the system performance. To get over these deficiencies and meet the require of security audit Kylin operating system, we must design the security architecture from the view of whole and embed the audit system into the architecture allover.
This paper proposes the host-based Kylin audit framework on the basis of the research archived. The basic idea is design and implement the audit subsystem on the basis of that add the Mandatory Access Control、separated of three privilege(fined the root privilege to system-administrator security-administrator、audit-administrator), and move the audit system to kernel, and combine the Access Control Policy on the basis TE(Type Enforcement) to protect audit configuration and log data.
The design principle and concrete implement of this system is combine kernel audit thread with kernel audit module, the responsibility of kernel audit module is to collect the information about system calls, the responsibility of kernel thread is to write audit data to disk file. This mechanism can audit all of the event relative security, for example: user login, file opened, program executed, file attributes changed, the operation of security and audit administrator, so the audit system can provide the precision information of event for user, and it don't changed the kernel data structure of Kylin operating system. And the audit system can update and maintain all alone. Moreover it can make use of the friendly graphic tools to analysis audit data, and implement uniform interfaces in the kernel and user space on the basis of XML files, these interfaces attain the function similar to Windows Registry, so we can configure the event of require to audit. At last, the system passes the performance test, it has only 5-10% spending under the situation of high load and all audit. This result can prove that this audit system has low spending when running and it has little effect on performance.
引文
[1]石文昌.安全操作系统研究的发展(上).计算机科学,2002,Vol.29(6):5-12
[2]石文昌.安全操作系统研究的发展(下).计算机科学,2002,Vol.29(7):9-12
[3]汪立东.操作系统安全评估与审计增强.哈尔滨工业大学博士学位论文,2002.4.1
[4]Scott Mann,Elfen L.Mitchel工,林雪梅等译.Linux系统安全实用手册.电子工业出版社 2000
[5]Pam Page.Security Auditing -A Continuous Process,24 May 2003
[6]陈慧,石文昌.操作系统内核安全审计系统的设计与实现.计算机科学,2004vol.31(8):173-175
[7]陈江燕,罗军.角色定权技术的研究与实现.计算机科学与工程,2004,第26卷(A1):21-24
[8]易晓东,何连跃,杨学军.安全操作系统基于角色的授权机制.计算机科学与工程,2004,第26卷(Al):25-28
[9]丁滟,易晓东,何连跃.基于TE策略的安全操作系统访问控制机制的设计与实现.计算机科学与工程,2004,第26卷(Al):85-87
[10]Stephen Smalley,Timothy Fraser.A Security Policy Configuration for the Security-Enhabced Linux[EB/OL].http://www.nsa.gov/selinux/papers/policy.html,2001-03
[11]Stu Milus.The Institutional Need for Comprehensive Auditing Strategies.SANS Institute,2003
[12]Brian Stewart.Router Audit Tool Securing Cisco Routers Made Easy.March 29th,2002
[13]秦莹,戴华东,孔金珠.Linux应用二进制兼容的设计、实现与测试.计算机科学与工程,2004,第26卷(Al):5-8
[14]Michael G.Grotola.The Unix Audit:Using Unix to Audit Unix McGraw-Hill,Inc.1993
[15]Richard Stevens.UNIX环境高级编程,尤晋元译,机械工业出版社
[16]贾春福,徐伟,郑辉.Linux系统内核级安全审计方法研究.计算机工程与应用2002.6
[17]汤俊,计算机攻击侵害行为级意外事故的审计跟踪技术计算机应用vol.19,No.4(4.1999)
[18]贾春福,徐伟,LKM技术在加强系统安全中的应用,CCISS'2003,武汉,2003,
[19]UNIX平台日志中心的分析与实现
[20]Design and Implementation of Auditing Subsystem for Secure Linux Operating System
[21]陈爱莉.操作系统日志与审计系统设计与实现,武汉大学硕士论文 2003.5
[22]欧爱辉.基于Linux操作系统的安全强认证系统的审计子系统的研究,江南大学硕士论文.2003.1
[23]王加森.基于LINUX的安全操作系统,西南交通大学硕士论文.2002.3
[24]徐伟.基于系统调用的Linux入侵检测方法,南开大学硕士论文.2003.5
[25]林贤金.基于信息理论的入侵检测技术研究,福州大学.2002.2
[26]J.Smith and F.Weingarten.Research challengers for the next generation internet.Report from the Workshop on Research Directions for NGI.May 1997.
[27]infofocus.com.User's Guide to the SNARE Server,http://www.intersectalliance.com/resources/index.html,2005.3
[28]infofocus.com.The SNARE Toolset - A White Paper,http://www.intersectalliance.com/resources/index.html,2005.3
[29]infofocus.com.Guide to the SNARE Micro Server,http://www.intersectalliance.com/resources/index.html,2005.2
[30]George Cora.SNARE Generator User Manual,http://www.intersectalliance.com/resources/index.html,2005.9
[2]石文昌.安全操作系统研究的发展(下).计算机科学,2002,Vol.29(7):9-12
[3]汪立东.操作系统安全评估与审计增强.哈尔滨工业大学博士学位论文,2002.4.1
[4]Scott Mann,Elfen L.Mitchel工,林雪梅等译.Linux系统安全实用手册.电子工业出版社 2000
[5]Pam Page.Security Auditing -A Continuous Process,24 May 2003
[6]陈慧,石文昌.操作系统内核安全审计系统的设计与实现.计算机科学,2004vol.31(8):173-175
[7]陈江燕,罗军.角色定权技术的研究与实现.计算机科学与工程,2004,第26卷(A1):21-24
[8]易晓东,何连跃,杨学军.安全操作系统基于角色的授权机制.计算机科学与工程,2004,第26卷(Al):25-28
[9]丁滟,易晓东,何连跃.基于TE策略的安全操作系统访问控制机制的设计与实现.计算机科学与工程,2004,第26卷(Al):85-87
[10]Stephen Smalley,Timothy Fraser.A Security Policy Configuration for the Security-Enhabced Linux[EB/OL].http://www.nsa.gov/selinux/papers/policy.html,2001-03
[11]Stu Milus.The Institutional Need for Comprehensive Auditing Strategies.SANS Institute,2003
[12]Brian Stewart.Router Audit Tool Securing Cisco Routers Made Easy.March 29th,2002
[13]秦莹,戴华东,孔金珠.Linux应用二进制兼容的设计、实现与测试.计算机科学与工程,2004,第26卷(Al):5-8
[14]Michael G.Grotola.The Unix Audit:Using Unix to Audit Unix McGraw-Hill,Inc.1993
[15]Richard Stevens.UNIX环境高级编程,尤晋元译,机械工业出版社
[16]贾春福,徐伟,郑辉.Linux系统内核级安全审计方法研究.计算机工程与应用2002.6
[17]汤俊,计算机攻击侵害行为级意外事故的审计跟踪技术计算机应用vol.19,No.4(4.1999)
[18]贾春福,徐伟,LKM技术在加强系统安全中的应用,CCISS'2003,武汉,2003,
[19]UNIX平台日志中心的分析与实现
[20]Design and Implementation of Auditing Subsystem for Secure Linux Operating System
[21]陈爱莉.操作系统日志与审计系统设计与实现,武汉大学硕士论文 2003.5
[22]欧爱辉.基于Linux操作系统的安全强认证系统的审计子系统的研究,江南大学硕士论文.2003.1
[23]王加森.基于LINUX的安全操作系统,西南交通大学硕士论文.2002.3
[24]徐伟.基于系统调用的Linux入侵检测方法,南开大学硕士论文.2003.5
[25]林贤金.基于信息理论的入侵检测技术研究,福州大学.2002.2
[26]J.Smith and F.Weingarten.Research challengers for the next generation internet.Report from the Workshop on Research Directions for NGI.May 1997.
[27]infofocus.com.User's Guide to the SNARE Server,http://www.intersectalliance.com/resources/index.html,2005.3
[28]infofocus.com.The SNARE Toolset - A White Paper,http://www.intersectalliance.com/resources/index.html,2005.3
[29]infofocus.com.Guide to the SNARE Micro Server,http://www.intersectalliance.com/resources/index.html,2005.2
[30]George Cora.SNARE Generator User Manual,http://www.intersectalliance.com/resources/index.html,2005.9
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |