• SOC2010SergioLigregni

Distributed Audit / Log Shipping Daemon

The shipping daemon will deliver the audit trails generated through the network to a master system, that will admin the trails to have the auditing centralized, ease to admin and practical. The admin will have all the trails in one system and can do the security auditing in one system (perhaps a special system to keep the auditing). Some mechanisms as SHA256 checksum and cryptographic features will be implemented to guarantee the integrity of the delivery system.

Working Sergio Ligregni with the mentoring of Stacey Son

Small timeline

• May 24th - Jun 6th

Code the shippd daemon and modify auditd to call it when a trail is finalized.

• Jun 7th - Jun 27th

Code the features of shipd daemon that will communicate with the master system, also, code the master daemon that will receive the files. In this phase, SHA256 checksum will be implemented (as well as file listings comparison).

• Jun 28th, Jul 4th

Do the master work, this is, receive the files and perform the appropiate pathing, and the right naming (to prevent duplicates when errors occurs).

• Jul 5th, Jul 16th

Perform the mid-term prep testing.

• Jul 17th, Jul 31st

Implement SSL in the network communication

• Aug 1st, Aug 8th

Perform the final testing.

• Aug 9th, Aug 16th

Document the tool.

Status

The project is already finished, it includes now:

The shipd daemon is working and has been tested in a small network, this daemon:

• perform sync based on any of the three "panic levels"
  • when panic level is 2, the daemon only synchronize the latest trails
  • when panic level is 3, the daemon checks for all trails
• connects with damasterd daemon, ask if there is a trail in master's and send those missing

The damasterd daemon is working and has been tested in a small network, this daemon:

• checks if the trails are in master's
• according to the parameters, it either search/creates trails under slave's root directory or create a directory per each host
• if the SHA256 checksum for a trail isn't equal, the daemon assumes there is no such trail and then the shipd daemon will send it again
• the naming convention of the trails, in an example:
  • 20100712024237.20100712024244.ligPhenom.20100712025309
  • trail_init .trail_end .host .date/time received

* SSL encryption

TO_DO:

• integrate with current audit (using audit_warn or modifying auditd)

• implement SSL in network communication

• define the location of the parameters (maybe audit_control or maybe another config file) and arrange the naming and comments

• the doc (the file ideas.txt already has a lot of doc about the parameters)

Project's Perforce Repository (CODE)