Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez...
-
Upload
sheena-mcdowell -
Category
Documents
-
view
212 -
download
0
Transcript of Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez...
![Page 1: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/1.jpg)
Cost of SecurityAuditing FocusMatthew Chambers (Michigan Technological University)Kevin Lopez (California State University, San Bernardino)Casey Mortensen (New Mexico Institute of Mining and Technology)
Mentor: David Kennel (DCS-1)Instructor: Andree Jacobson (NMC)
2011 Computer System, Cluster and Networking Summer Institute
![Page 2: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/2.jpg)
Introduction
What is the audit daemon?
What purpose does auditd serve?
What is the cost of security?
![Page 3: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/3.jpg)
Auditd
Kernel level service
Intrusion Detection System
Does not preventmalicious activity
Novell © - http://www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf
![Page 4: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/4.jpg)
The Benefits of Auditd
Increased security Monitor file activity Monitor syscall activity
Creates detailed logs User info, syscall used, timestamp, etc.
Robust search and filter implementations
Easy, manageable logging rotation solution
![Page 5: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/5.jpg)
The Drawbacks of Auditd
Performance degradation CPU interrupts Context Switching Logging
Only a detection system
![Page 6: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/6.jpg)
Results (Small File I/O)
![Page 7: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/7.jpg)
Results (Small File I/O)
![Page 8: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/8.jpg)
Results (Intel MPI)
![Page 9: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/9.jpg)
Results (Syscalls)
![Page 10: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/10.jpg)
Hybrid Benchmark
Init
Calculate prime in range
Write to file
Write to file
Write to file
C HMOD
Read all files
Calculate prime in range
Calculate prime in range
Write to one file
Fork
CPython
BASH
![Page 11: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/11.jpg)
Results (Hybrid)
![Page 12: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/12.jpg)
What to consider…
Scaling
Protection Measures (SE Linux)
NFS vs Audit Dispatcher
SSD and RAM performance
![Page 13: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/13.jpg)
Conclusion
Performance Cost Non-CAPP rules CAPP Rules
Recommendation Minimal day to day impact Implement Auditing
![Page 14: Cost of Security Auditing Focus Matthew Chambers (Michigan Technological University) Kevin Lopez (California State University, San Bernardino) Casey Mortensen.](https://reader036.fdocuments.us/reader036/viewer/2022081603/5697bfdb1a28abf838cb0b5f/html5/thumbnails/14.jpg)
Questions?