The previous article (Apple Mac OS X system security rating (1) mainly introduced the Overview of the security rating and the current situation of the MAC system. Let's take a look at the internal situation of its security system.
Preface
As mentioned above, the security audit Establishment of OS X is based on openbsm. Its main goal is to provide selective and effective granular recording of security-related system and application information, it is also used for post-event analysis, intrusion detection, and real-time monitoring. Openbsm mainly includes: Core Audit Event engine (this part needs to match with the operating system, such as OS X's march core embedding ),
System Call audit Abis, embedded in user space, including login and sshd related programs, print audit, audit management service, and audit pipeline-used for real-time application monitoring, and the audit support library. It supports FreeBSD, OS X, and Linux systems, and supports portability by supporting audit footprint formats unrelated to word order. Each of its release versions contains libraries, command line commands, configuration files, audit service programs, and footprint release programs used to transmit footprint files to central storage devices in real time, at present, its development is mainly integrated with the core development of FreeBSD version 10.
In the OS X system, we will examine its details from the following aspects.
Defining a system behavior is inseparable from the configuration file. Through parsing the configuration file, you can not only have a more detailed understanding of its listening rejection function, but also have a look at its general structure.
Its configuration files are stored in the/etc/security directory, where multiple control/configuration files are stored. These files or define or set the behavior of openbsm. To learn how to control it, take a look at these files:
Audit_class:
By viewing the audit_class file, each audit event category is actually the definition of each binary bit. Currently, it is 32-bit, that is, a maximum of 32 classes. Do not change this file.
The file is as follows:
## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#6 $#0x00000000:no:invalid class0x00000001:fr:file read0x00000002:fw:file write0x00000004:fa:file attribute access0x00000008:fm:file attribute modify0x00000010:fc:file create0x00000020:fd:file delete0x00000040:cl:file close0x00000080:pc:process0x00000100:nt:network0x00000200:ip:ipc0x00000400:na:non attributable0x00000800:ad:administrative0x00001000:lo:login_logout0x00002000:aa:authentication and authorization0x00004000:ap:application0x20000000:io:ioctl0x40000000:ex:exec0x80000000:ot:miscellaneous0xffffffff:all:all flags set
Audit_event:
The audit_event file is a hard code for each audit event. A Code corresponds to an event. If a developer needs to add a Custom Event, the system may need to be re-compiled. Therefore, we do not need to change the file.
The basic format is code, abbreviated name, explanation, and category. In this file, you can see the definition of each event and descriptions of the audit class. For example, 46 is a shutdown event, NT category; 6152-6154,6158, 6165, 6171 and 6172 are logon events, which belong to the lo category, if a user or group does not have ssh/telnet logon permissions and a logon event occurs, you need to review the system vulnerabilities, especially for the 6159 event. Normal users cannot upgrade to the system administrator.
Audit Events are segmented. From 1 to 20 47, audit events are core BSM events, 6000-9999 are BSM user events, and 32768-65535 are blocks open to third-party programs. Two retention zones: 43000-44999 is the core event of openbsm, and 45000-46999 is the Program Event of openbsm.
Audit_warn:
The administrator can set the script program that runs when an audit warning occurs.
For the default files, see:
#!/bin/sh## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $#logger -p security.warning "audit warning: $@"
Audit_user:
The administrator can set different audit levels for different users. The default audit levels are as follows:
## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#3 $#root:lo:no
Audit_control:
Is the most important configuration file for controlling audit system behaviors,
The default value is:
## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $#dir:/var/auditflags:lo,aaminfree:5naflags:lo,aapolicy:cnt,argvfilesz:2Mexpire-after:10Msuperuser-set-sflags-mask:has_authenticated,has_console_accesssuperuser-clear-sflags-mask:has_authenticated,has_console_accessmember-set-sflags-mask:member-clear-sflags-mask:has_authenticated
Start/control command
General control operations:
The Audit Command is the main system command in the/usr/sbin/folder. It can be initialized and audited. The audit system is forced to close the current audit log file, audit Events are recorded from the new file, the configuration information of the audit_control file is re-read, or the audit is stopped.
In OS x, the launch control of audit is controlled by the launchd of Mac OS X. The description file is/system/library/launchdaemons/COM. apple. auditd. plist, which is used by launchd to start the/usr/sbin/auditd service daemon. Similar to other system services, launchctl is also used to control whether auditd is enabled/disabled, A brief introduction is provided later.
Audit Log
The above roughly looks at the structure of the audit system and has a general understanding of it, and we are more concerned with the analysis of audit log Content. The log/trail file formats of openbsm are different from those of general log files, which must be interpreted using special commands/software.
Log (trails) file:
OS
All logs of X system are saved in their own unique format and will not appear in the system log file. Its trails file is stored in the/var/audit/directory, which can only be accessed by the system administrator, that is, the Root parameter. Therefore, the following command should be run under the root user, otherwise, permission will occur.
Denied error.
As defined in the above audit_control file, the maximum size of each trails file. Once a trail file reaches this limit, the system will write it to another trail file, however, the system will automatically switch to the next file based on the length of time, which is why you may see that the size of many files is only several K or dozens of K.
The trails file is named by the initial start time of the file and the end time of the last trails as the file name, for example, 20130112143036.20130114164647, which is divided into: 2013
01 12 14 30 36, that is, starting from, January 1, January 12, 2013, and ending at, January 1, January 14, 2013. Files with *. crash_recovery are also included,
If the openbsm system crashes, this file will be generated; and the trails file *. not_terminated is still in use.
The log file size depends on the monitoring type set in audit_control. If it is set to all, a huge amount of trials will be generated, in this way, your hard disk will soon be fully occupied (if expire-after is set to be large enough), and the running of other programs may be affected due to occupying too much system resources.
Praudit command:
The praudit command can parse the content of a specified trail file and output it in text format. The basic command format is:
Praudit-S/var/audit/*: Short output format
Praudit-x/var/audit/: Output XML format
The following is an example of using a simple format output:
header,203,11,AUE_ssauthorize,0,Sat Jan 12 07:31:44 2013, + 927 msecsubject,-1,root,wheel,root,wheel,39,100004,39,0.0.0.0text,system.login.consoletext,client /System/Library/CoreServices/loginwindow.apptext,creator /System/Library/CoreServices/loginwindow.appreturn,success,0trailer,203header,72,11,AUE_lw_login,0,Sat Jan 12 07:31:45 2013, + 23 msecsubject_ex,admin,root,wheel,admin,staff,39,100004,50331650,0.0.0.0return,success,0trailer,72header,200,11,AUE_ssauthorize,0,Sat Jan 12 07:31:45 2013, + 174 msecsubject,-1,root,wheel,root,wheel,39,100004,39,0.0.0.0text,system.login.donetext,client /System/Library/CoreServices/loginwindow.apptext,creator /System/Library/CoreServices/loginwindow.appreturn,success,0trailer,200header,156,11,AUE_ssauthmech,0,Sat Jan 12 07:31:45 2013, + 872 msecsubject,admin,admin,staff,admin,staff,158,100004,158,0.0.0.0text,system.services.systemconfiguration.networktext,mechanism builtin:entitled,privilegedreturn,success,0trailer,156
It seems not so easy to understand and intuitive.
Auditreduce:
With the auditreduce command, you can select events that meet the requirements from the specified audit trails file and output them in the original format to generate another trails file of the reduced version. Then, you can use praudit to convert the output format.
Auditpipe:
Audit events can be read from the/dev/auditpipe device in real time, which is the credit of auditpipe and can be copied. Each Audit event has the same output, however, compared with auditd's file writing, it is not reliable, and he may discard some small event reports.
Audit Explorer:
For the moment, it is more intuitive to browse the trails file software, that is, audit Explorer. This program can be bought in the Mac store.
Postscript:
The audit system occupies a small amount of system resources and is negligible. However, if you do not need to audit your system, you can use the following steps to completely disable it:
flags:no,no
sudo audit -tsudo launchctl unload -w /System/Library/Launchdaemons/com.apple.auditd.plistsudo rm /var/audit/*
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
