RFC- Enforcing Computer Policy
Justin Lister (ruf@osiris.cs.uow.edu.au)
Sat, 13 Aug 1994 04:36:42 +1000 (EST)
Ok now that the number of subscriptions has started to slow down, it
is a good time to start some discussions. After all this is what the
list was created for.
The following will be more or less general ramblings, I am interested
in hearing any further comments.
1. Currently the direction of intrusion detection systems (both
network and computer system detectors) are involved with essentially 2
main thrusts.
i) Encoding supposedly "known" intrusion patterns into knowledge bases
then essentially monitoring the system audit trail for sequences that
resemble the intrusive patterns.
ii) Developing profiles of system subjects or "entities" that describe
"normal" behavior patterns, then attempting to identify deviations
from the established patterns.
We have seen the use of bayesian based statistical profiling, I was
wondering if anyone had considered any of the other mainstream
uncertainty theories, such as Dempster-Shafer Theory (DST),
Fuzzy-Logic (I think there has been some research into this area), and
EMycin/Mycin theory. From my understanding Bayesian based inference is
the most mathematically well founded of the above theories but at the
same time it is also supposedly more difficult in terms of
computational resources and algorithmic complexity.
2. Enforcing Computer System Policy.
Due to the size of systems currently being administered (in some cases
10,000+ users), it beings to become a difficult task to ensure correct
access controls for all users. From my perspective on system
administration , not that I am system administrator in any sense, but
I do have limited unix installation (from which I get to play with -
Linux) and do use Solaris1.1 and 2.3 (as a user). (This is where I
would particularly like to hear from the system administrators). Now
the current release of Solaris comes with a admintool, essentially a
set of tools that is supposed to make the task of administrating large
networks alot easier, through the use of Database Manager (NIS+),
Printer Manager, Host Manager and User Account Manager.
These tools, are essentially to ease the task of maintaining or
setting up services on the system, not actual tools to assist in
security of the system per se, through increased authentication in
NIS+ and incorporation of Kerberos (Secure RPC). Now while these tools
and increased security features may provide for a more secure
environment, there still seems to be alot lacking in the control over
services and monitoring of system usage. Most auditing facilities are
still very verbose text based.
[ I envisage that a integrated graphical environment, where different
user, service, resource, and intrusion detection components are
incorporated, the administrator can essentially monitor the complete
runnings of the system, query any alerts that appear, control
monitoring processes etc. ]
Now, in our university environment (it probably applies to alot of
situations), it is common to find users are required to sign a
computer usage policy agreement. Essentially the department and/or
administrators decide on what services particular users are and aren't
allow to use (ie. undergrads have different services, quota's etc to
graduates). From my experience here, most services have been provided
for, but due to general abuse of some services such as ftp and irc,
some services are restricted. So now the job of the sysadm has been to
ensure services are only available to those who have legitimate
reasons for use of restricted services. And this is my general point -
while it is generally easy to specify a computer policy on paper, it
has been difficult to enforce (I assume there are some tools out there
to monitor general services, but I think usually each administrator
tends to re-implement solutions, kludges, hacks to monitor services).
Actually, even when on paper, it is quite possible that users may
argue a case that isn't correctly covered in the policy, or users find
ways around the restrictions (via use of services that aren't commonly
known). Not speaking from experience of course. ;)
Now while this isn't necessary intrusion detection, such a component
is probably suited to usage in combination with a intrusion detection
system, or ideally be a component of an integrated system
administrator environment (more on my ideas for universal intrusion
detection system environments later).
So what would be the steps for incorporating a paper based computer
policy into a system enforcing tool ?
Are there any tools that already perform such tasks ? In other
operating systems ?
First lets look briefly at some of the stages of implementing such a system
The Problems:
- Many administrators have in excess of 1000+ users, becomes difficult
to ensure correct access controls - granularity. (not to mention
problems with default settings)
- Difficult to control/monitor system services.
- Enforcing restrictions difficult, users usually find ways around
restrictions.
- Every system administrator tends to re-develop own methods, usually
some kind of service/program wrapper.
Now many users have well defined domain in which they are expected to
work, so it should be possible to specify a policy for
users/groups/services/resource usage.
What is a policy ?
Policy is usually in the form of a paper document that specifies in
some detail what is accepted usage of the computer facilities. Often,
it is difficult to specify detailed requirements for users. In turn, a
user can't be expected to memorize every possible restriction (and may
be difficult to specify every individual restriction), so one would
hope that users could rely on the system to indicate when they are
attempting actions that are in violation to policy and warn them
(essentially stopping there actions).
How would we formalize a policy ?
How to the computer managers, department staff and system
administrators specify what is allowed and what isn't when they maybe
unsure of exactly what services, applications, and resources are
available on the system. So there needs to be some process of
identifying these services on the system. Once the possible services
are known the policy a policy has to be resolved for the individual
users/groups.
NOTE: it may also be useful in specifying restrictions on a
service/resource basis than establishing for each individual user. ie.
easier to tell a file transfer service to restrict all and allow
certain users/groups than to specify for each user/group whether they
have access to the service)
Some of this may sound like just setting access controls, the idea
here, is to maintain complete controls over all resources associated
to such a service. In in alot of cases maintaining the uid/gid would
be too cumbersome.
Now there only remains some implementation issues (which I will not go
into here) but they are:
How do we represent the computer policy in the computer system ?
How do we detect policy violations ?
I came up with the following steps:
1. Identification Process - use of a system scanner that attempts to
identify services,applications etc on the system. Using signature
files and file identification functions, the system scanner attempts
to scan the system and identify each particular file and associate it,
also configuration files may be specified to determine the state of
the system (in much the same idea of using COPS to identify security
problems, essentially we trying to determine the configuration of the
system). Any unidentified objects may rely on the administrator for
identification.
2. Formalization Process - takes all the system objects and groups
related objects (ie. Applications - compilers, editors etc ; Services,
Users/Groups). and builds an output form.
3. Policy Specification - using the form that identifies sets of
services etc the desired settings can be agreed upon, ie. settings as
to how services should be configured, which user/groups have access to
which services, resources etc.
4. Specification Tool - system administrator then enters into system
the policy requirements, using a graphical tool to insert required
system settings for each system resource. Such settings maybe stored
in a rule-based system, or database etc.
5. Verfication - Now the system can use such a specification database
to verify, services to users. It would be possible to integrate
authentication via usage of kerberos or similar schemes. Also each
individual action by the user has to be classified, to the type of
service, application etc. Essentially a type of program registration.
Each service would be required to be registered (which would be
performed by the identification process). When a user then access a
service - through some signature action (maybe using a particular
system call, or just some program execution etc). The service will be
identified and the user verified for access restrictions.
An example scenario:
Ftp is a restricted service (typically there would be a wrapper, or the
application may verify whether the user has access to such a program or
general access controls on the program), so in a typical situation an
administrator may modify the ftp binary, sys logging all access to ftp
as well as checking the uid. So how does this deter a user that has
their own copy of ftp. In our system the ftp binary may be registered
to a signature action, which would then discriminate from the users own
copy. Once the signature for ftp is identified the user requesting the
service can be verified.
So what do you think about such a system, I think it would be valuable
addition to intrusion detection techniques. Such a component is more an
intermediary step towards intrusion detection, and might be more useful
to some than a full-blown intrusion detection system.
I would appreciated any comments, additions to such a proposal ?
Would the system administrators here like to give some examples of what
they would like see in terms of additional system administration tools ?
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-330 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | LiNuX - the only justification for using iNTeL |
+---------------------+--------------------------------------------------+