information systems events
DESCRIPTION
TRANSCRIPT
Vicente Aceituno Canal
FIST Conference September/Madrid 2007 @
Sponsored by:
Events Logging Markup
Language
3
Index
Log Management
Standards
Information System Model
XML Markup
Vocabulary
4
What gets logged
A Record contains a series of
events.
Startup, restart, abnormal termination.
Physical and Logical thresholds being
exceeded.
Access attempts to resources.
Network connections.
Privilege and access rights changes.
Configuration changes.
5
Log Management
Logs are generated everywhere.
Logs have very different formats.
There are hundreds of logs APIs.
There are many logs transports.
Logs are a trail and a measure.
Log collection, correlation,
aggregation.
6
Standards
CEE (MITRE initiative in the making)
CEF (ArcSight)
Extended Log File Format (W3C)
ELML – Events Logging Markup Language (ISM3 Consortium)
WebTrends Enhanced Log file Format.
WSDM Event Format (OASIS)
XDAS – Distributed Audit Service (The Open Group)
RFC3164 – syslog (IETF)
7
Information System Model (UNIX)
Processes
Files
8
Information System Model (ELML)
Interfaces
Repositories
Services
Channels
Messages
Sessions
9
Information System Model (ELML)
Interface Web-based interface
System call
Monitor, keyboard and mouse
Connector
Keyboard
Printer
Scanner
Data acquisition board
DB9
RJ-45
10
Information System Model (ELML)
Repository Payroll Database
Database Replica
File system
Directory
File
Hard drive
Cluster
CD
DVD
RAM
Registers
11
Information System Model (ELML)
Service
Bank Account
SOAP API Interface
Ethernet Port
Application
System process
Threads
Running instruction
12
Information System Model (ELML)
Channel
Phone call
HTTPS
TCP connection
SFTP connection
Frame relay PVC
Optic fiber
Ethernet cable
IDE cable
13
Information System Model (ELML)
Message
Transfer from another account
SOAP Call
TCP packet
IP Packet
Ethernet Packet
802.11g Packet
14
Information System Model (ELML)
Session
Work session between user and application
Session between processes
TCP Transmission session
Frame transmission session
su (nested session)
Software agent session
WAP2 session
etc…
15
XML Markup
Agent Subject
Logger
16
XML Markup
Every event can have an eventID.
If the event is not logged by the agent of the event, the logger can be identified using a loggerID.
The agent of the event can be identified using a sourceID.
The agent of the event can stay in different locations, identified using a addressID.
The credential used by the source to perform a request can be identified using a credentialID.
The resource (subject) of the event is identified using a resourceID.
17
XML Markup
The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText.
The payload contains the information necessary to perform the request.
dateTime is the date and time when the request is performed.
signature is the digital signature of the event using the credentialID.
hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it.
18
XML Vocabulary
Component Initiate Finalize Freeze Unfreeze Query
State
Change
State
Credential create delete block unblock read write
Session login logout suspend resume read write
Message send listen retain forward read write
Repository create delete block unblock read write
Interface connect disconnect interrupt continue read write
Channel open close hold release read write
Service start stop pause resume read write
Success
Failure
Error
Source error
19
Example - ProFTPd
Connection closed: May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed.
Login sucessful: May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test: Login successful.
Login failed: May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed): Incorrect password.
Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): no such user 'dcid-inv'
May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21
20
Example - ProFTPd
Connection closed (native): May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed.
Connection closed (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID>
<addressID>192.168.20.10</addressID>
<loggerID>slacker proftpd[25530]</loggerID>
<Result>success</Result>
<ResultText>FTP session closed. </ResultText>
<dateTime>21/5/2007 20:22:14</dateTime>
21
Example - ProFTPd
Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21
Invalid user login attempt (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID>
<addressID>190.48.150.156</addressID>
<credentialID>abad</credentialID>
<loggerID> proftpd.lab.ossec.net:21:slacker proftpd[31806]</loggerID>
<RequestType>login</RequestType>
<Result>failure</Result>
<ResultText>no such user found</ResultText>
<dateTime>21/5/2007 20:21:21</dateTime>
22
Example - ProFTPd
Exercise: Dec 12 00:00:00 machinename su: [ID 366847 auth.info] 'su oracle' succeeded for root on /dev/???
Dec 12 00:23:28 machinename su: [ID 366847 auth.info] 'su oracle' failed for root on /dev/???
Dec 12 00:00:02 machinename sendmail[20512]: [ID 801593 mail.info] kBC502520512: from=root, size=301, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Dec 12 00:00:03 machinename sendmail[20514]: [ID 801593 mail.info] kBC502520512: to=root, ctladdr=root (0/1), delay=00:00:01, xdelay=00:00:01, mailer=local, pri=120301, relay=local, dsn=2.0.0, stat=Sent
Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] User blablabla not allowed because account is locked
Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] Failed none for invalid user blablabla from 192.168.0.1 port 40410 ssh2
Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] Failed password for invalid user blablabla from 192.168.0.1 port 40410 ssh2
Dec 12 09:33:48 machinename sshd[18195]: [ID 800047 auth.info] Failed keyboard-interactive for blablabla from 192.168.0.1 port 1530 ssh2
Dec 12 23:59:54 machinename sshd[24191]: [ID 800047 auth.info] User blablabla not allowed because account is locked
Dec 12 09:33:25 machinename sshd[18094]: [ID 800047 auth.info] User blablabla password has expired (root forced)
Dec 12 01:30:04 machinename sshd[11819]: [ID 800047 auth.info] Accepted publickey for blablabla from 192.168.0.1 port 4527 ssh2 Dec 12 01:30:04 machinename sshd[11821]: [ID 800047 auth.info] subsystem request for sftp
Dec 12 01:30:06 machinename sshd[15907]: [ID 800047 auth.info] Postponed publickey for blablabla from 192.168.0.1 port 4528 ssh2
Dec 12 08:00:03 machinename sshd[3399]: [ID 800047 auth.info] Authentication tried for root with correct key but not from a permitted host (host=hostname, ip=10.11.10.8).
Dec 12 02:23:45 machinename named-xfer[9924]: [ID 140103 daemon.info] send AXFR query 0 to 192.168.0.1
Dec 12 03:13:10 machinename named-xfer[368]: [ID 140103 daemon.info] send AXFR query 0 to 192.168.0.1 Dec 12 03:13:10 machinename named[311]: [ID 295310 local2.warning] default: warning: owner name "name.domain.com" IN (secondary) is invalid - proceeding anyway
Dec 12 07:27:49 machinename limdaemon: [ID 701944 user.notice] login by blablabla (pid=24835,cost=1)
Dec 12 07:27:52 machinename limdaemon: [ID 709948 user.notice] logout by blablabla (pid=24835)
Dec 12 08:43:50 machinename login: [ID 507249 auth.notice] Login failure on /dev/pts/7 from name.domain.com, blablabla
23
What is ELML good for?
Don’t design log syntax ever again.
Use a common format, requesttype and result vocabulary.
Make it easier for everyone to correlate and integrate logs.
Download ELML from www.ism3.com
Information Security that makes Business
Sense
inovement.es/oism3 Web www.inovement.es
Video Blog youtube.com/user/vaceituno
Blog ism3.com
Twitter twitter.com/vaceituno
Presentations slideshare.net/vaceituno/presentations
Articles slideshare.net/vaceituno/documents
@
with the sponsorship of:
www.fistconference.org
THANKS