Educause Security Discussion mailing list archives
Re: CIS vs NIST
From: "Bridges, Robert A." <bridgesra () ORNL GOV>
Date: Mon, 30 Apr 2018 16:57:42 +0000
Thank you, Valdis!
--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National
Laboratory
On 4/30/18, 12:52 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Valdis Kletnieks" <SECURITY ()
LISTSERV EDUCAUSE EDU on behalf of valdis.kletnieks () VT EDU> wrote:
On Mon, 30 Apr 2018 16:12:58 -0000, "Bridges, Robert A." said:
> So (one of) the questions (that still remains) for anyone willing to chime in
> does anyone use audit logs?
You'll probably need to qualify the question somewhat. There's the general
concept of an audit log where a note of any sketchy/wonky events get logged,
which can be anything from network logs tracking a probe (and could be
Splunk, firewall, or iptables or Windows event log) to failed logings to event
logs regarding attemted access to restricted file data.
And then there's a specific Linux thing called 'audit', which is a kernel
facility for logging security-relevant events detected by the kernel. The
output from that can vary based on the configuration - on my laptop it runs
about 1 megabyte a day of various stray SELinux messages with the canned Fedora
default config. At the other end of the spectrum, you can configure it to log
every single system call - which can be voluminous indeed. For example,
modelling with 'strace', just building the NVidia kernel driver involves 148
compiles, 5,500 processes, and 2.5 million system calls - and logging that at
260 bytes or so per call leaves you looking at 4 gigabytes of logging. My
laptop doesn't have enough disk to do syscall-level logging for an entire
kernel build (5,000 or so compiles). And it's *really* easy to tell it to log
the wrong things, or misinterpret the results - for example, the module build I
just mentioned had this:
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
95.12 448.089860 59294 7557 2626 wait4
1.65 7.756550 14 537697 247580 openat
0.65 3.078594 9 310831 read
0.55 2.600349 8 301260 870 close
0.48 2.283084 7 289726 fstat
0.34 1.594304 12 123804 mmap
0.14 0.680137 17 38842 mprotect
0.14 0.658445 46 14024 munmap
0.13 0.618032 12 49516 22266 stat
Wow, is there a problem because half the open() and stat() calls failed? Nope -
it's standard Linux behavior, trying to open a file at multiple locations in
a search path, which can cause 4 or 5 attempts to find the file in various site
and user operride locations before settling on the system-provided file.
To the best of my knowledge, nobody's using the Linux kernel audit logs for
near real time detection of events - it's of more use for forensic analysis of
incidents and system/package testing.
Current thread:
- Re: CIS vs NIST, (continued)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Nicklaus Giacobe (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
- Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)
