Audit Firewall Events

Project Description

This project is part of TrustedBSD project and aims to provide auditing support to security-related events generated by various firewall implementations on FreeBSD such as IPFW, PF and IPFILTER. You might want to check the project's Perforce Repository.

About me

My name is DiegoGiagio and I'm being mentored by ChristianPeron. You can also check my blog at http://blogs.freebsdish.org/diego.

Milestones

Description

% completed

Define administrative audit records structure

100%

Define packet audit records structure

100%

Make audit API generic and less syscall oriented

100%

Add audit support for administrative firewall events - IPFW

100%

Add audit support for packet firewall events - IPFW

100%

Add 'audit' keyword to firewall rules - IPFW

100%

Teach OpenBSM library and utilities about socket_ex token

100%

Add audit support for administrative firewall events - PF

100%

Add audit support for administrative firewall events - IPFILTER

100%

Add audit support for packet firewall events - PF

100%

Add audit support for packet firewall events - IPFILTER

100%

Add 'audit' keyword to firewall rules - PF

not started yet

Add 'audit' keyword to firewall rules - IPFILTER

not started yet

How to use

  1. Checkout diego_audit branch from perforce.FreeBSD.org
  2. Build the kernel from the branch with AUDIT option enabled
  3. Build and install OpenBSM from the branch
  4. Enable 'fl' events on /etc/security/audit_control
  5. Enable auditd daemon by adding auditd_enable="YES" to /etc/rc.conf
  6. Reboot or restart /etc/rc/auditd manually.

After rebooting the new kernel, every administrative firewall action (like adding or removing rules) will generate audit records to your audit trail, which can be found into /var/audit by default. Also, every connection that passes through rules with 'audit' keyword will generate flow audit records. Currently only ipfw is supported.


Audit Records

Audit records are generated after the occurrence of a security-related firewall event. There are two types of events:

Administrative Event Records

These are records generated after executing firewall administrative actions. When auditing is enabled, these type of records are always generated. This is not true for Network Events, where only firewall rules marked as "audit" by user-land utilities can be used to generate records.

Enable Firewall Subsystem

Event Name

Event ID

Event class

Mask

AUE_PFIL_ENABLE

43153

fl

0x00002000

Format:

header-token

text-token

("ipfw" | "pf" | "ipfilter")

subject-token

return-token

Disable Firewall Subsystem

Event Name

Event ID

Event class

Mask

AUE_PFIL_DISABLE

43154

fl

0x00002000

Format:

header-token

text-token

("ipfw" | "pf" | "ipfilter")

subject-token

return-token

Add Firewall Rule

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_ADDRULE

43155

fl

0x00002000

Format:

header-token

text-token

("ipfw: set=10, rule=00100")

subject-token

return-token

Del Firewall Rule

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_DELRULE

43156

fl

0x00002000

Format:

header-token

text-token

("ipfw: set=10, rule=00100")

subject-token

return-token

Flush Firewall Rules

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_FLUSH

43157

fl

0x00002000

Format:

header-token

text-token

("ipfw: all")

subject-token

return-token

Add Firewall Table Entry

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_ADDTABLE

43158

fl

0x00002000

Format:

header-token

text-token

("ipfw: table=1")

subject-token

return-token

Del Firewall Table Entry

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_DELTABLE

43159

fl

0x00002000

Format:

header-token

text-token

("ipfw: table=1")

subject-token

return-token

Flush Firewall Table

Event Name

Event ID

Event class

Mask

AUE_PFIL_POLICY_FLUSHTABLE

43160

fl

0x00002000

Format:

header-token

text-token

("ipfw: table=1")

subject-token

return-token

Network Event Records

These are records generated by the firewall implementation after occurrence of a security-related network event. Only firewall rules marked as "audit" can be used to generate records.

Statefull Connection Begin

Event Name

Event ID

Event class

Mask

AUE_PFIL_FLOW_BEGIN

43161

fl

0x00002000

Format:

header-token

text-token

("ipfw" | "pf" | "ipfilter")

socket-token

[TCP:63000:127.0.0.1:22:192.168.0.1]

subject-token

n/a

return-token

Statefull Connection End

Event Name

Event ID

Event class

Mask

AUE_PFIL_FLOW_END

43162

fl

0x00002000

Format:

header-token

text-token

("ipfw: packets=388, octets=128955")

socket-token

[TCP:63000:127.0.0.1:22:192.168.0.1]

subject-token

n/a

return-token

DiegoGiagio/Audit_Firewall_Events_from_Kernel (last edited 2013-08-18T15:25:32+0000 by DiegoGiagio)