Event Description LAF audit events | IBM 10 SP1 EAL4 specification

Event Description	LAF audit events
Startup and shutdown of audit functions	DAEMON_START, DAEMON_END are generated by
	auditd
Modification of audit configuration files	DAEMON_CONFIG, DAEMON_RECONFIG are
	generated by auditd. Syscalls open, link,
	unlink, rename, truncate, write on
	configuration files
Successful and unsuccessful file read/write	Syscall open
Audit storage space exceeds a threshold	space_left_action,
	admin_space_left_action configuration
	parameters for auditd.
Audit storage space failure	disk_full_action, disk_error_action
	configuration parameters for auditd.
Operation on file system objects	Syscalls chmod, chown, setxattr,
	removexattr, link, symlink, mknod, open,
	rename, truncate, unlink, rmdir, mount,
	umount, semtimedop
Operations on message queue	Syscalls msgctl, msgget
Operations on semaphores	Syscalls semget, semctl, semop,
	semtimedop.
Operations on shared memory segments	Syscalls shmget, shmctl
Rejection or acceptance by the TSF of any testedAudit record type: USER_AUTH from PAM
secret.	framework and audit record type:
	USER_CHAUTHTOK from shadow utilities.
Use of identification and authentication	Audit record type: USER_AUTH,
mechanism	USER_CHAUTHTOK from PAM framework.
Success and failure of binding user security	Audit record type: LOGIN from pam_login.so
attributes to a subject (e.g. success and failure to module. Syscalls: fork and clone.
create a subject)
All modification of subject security values	Syscalls chmod, chown, setxattr, msgctl,
	semctl, shmctl, removexattr, truncate
Modifications of the default setting of	Syscalls umask, open
permissive of restrictive rules
Modification of TSF data	Syscalls open, rename, link, unlink,
	truncate, chmod, chown, setxattr,
	removexattr (of audit log files and audit

configuration files), messages from shadow suites, audit record type: USER_CHAUTHTOK.

Modifications to the group of users that are part of a role

Audit messages from trusted programs in the shadow suite, audit record type:

USER_CHAUTHTOK.

145

Image 157

IBM 10 SP1 EAL4 manual Event Description LAF audit events

Contents

Page EJR Table of Contents 2.1 DAC AppArmor Programs with software privilege Permission bits Access Control Lists 100 142 175 207 250 252 269 Document overview Purpose of this documentConventions used in this document Terminology System Overview Suse Linux Enterprise Server Product historyEServer systems High-level product overview Overall structure of the TOE EServer host computer structurePage EServer system structure TOE services Security policy Local and network services provided by Sles TSF interfaces Operation and administration Approach to TSF identification Page Page System x hardware overview System x hardware architecture System System p hardware overview System pSystem p hardware architecture System z hardware overview System z hardware architecture System z EServer 326 hardware overview EServerEServer 326 hardware architecture AMD x86-64 architecture in compatibility mode Page Hardware privilege Hardware and software privilegePrivilege level Levels of Privilege Software privilege AppArmor 2.1 DAC Programs with software privilege TOE Security Functions software structure Kernel TSF software Logical kernel subsystems and their interactions Logical components Base kernel Execution componentsKernel threads Kernel modules and device drivers Non-kernel TSF softwarePage Definition of subsystems for the CC evaluation TSF databases Firmware HardwareKernel subsystems Trusted process subsystems User-level audit subsystem Page File and I/O management Functional descriptions Ext3 and CD-ROM file systems before mounting Virtual File System Ext3 and CD-ROM file systems after mounting Pathname translation VFS pathname translation and access control checks Open Mount WriteShared subtrees 2.1 Ext3 file system Disk-based file systemsExtended Attributes Data structures Page Page Data structures and algorithms ISO 9660 file system for CD-ROM Procfs Pseudo file systemsTmpfs Devpts SysfsRootfs Configfs Discretionary Access Control DACInotify Binfmtmisc Indicates read Permission bits Types of ACL tags Access Control ListsACL qualifier ACL permissions Default ACLs and ACL inheritanceRelationship to file permission bits Aclmask ACL enforcement 7 I/O scheduler Asynchronous I/O Anticipatory I/O scheduler Deadline I/O schedulerCompletely Fair Queuing scheduler Noop I/O scheduler 8 I/O interruptsTop halves Bottom halves Machine check Processor interruptsTasklets Work queue Data structures Process control and managementPage Control of child processes Process creation and destructionDAC controls Kernel threads Process switchSetresuidand setresgid Execve Hyperthreading scheduler Scheduling 14 Hyperthreaded scheduling Kernel preemption Inter-process communication Data structures and algorithms Pipes Fifo creation First-In First-Out Named pipes Fifo open System V IPCCommon data structures Message queues Common functions Semaphores Shared memory regions Sockets SignalsData structures Algorithms 16 Object reuse handling in socket allocation Network subsystem Overview of the network protocol stack 18 How data travels through the Network protocol stack Network layer protocols Transport layer protocols 3.2.2 IPv6 Header Addressing Security Flow LabelsTransition between IPv4 and IPv6 IP Security IPsec AH Header Functional Description of IPsec An IP Packet with tunnel mode AH An IP Packet with tunnel mode ESP Link layer protocols Internet Control Message Protocol Icmp Address Resolution Protocol ARP Network services interface Bind Socket Accept ListenConnect Memory management Access controlGeneric calls Page 24 Previous three-level page-tables architecture Four-Level Page Tables System Memory addressing 26 System x virtual addressing space Segmentation 28 Access control through segmentation Paging 30 Regular paging 32 Access control through paging For more information about call gates, refer to System p 33 Paging data structures 34 Logical partitions Privilege State 36 Determination of processor mode in Lpar Address Translation on LPARs Real mode addressingHypervisor Access to I/O address space Virtual mode addressingDirect Memory Access addressing Preventing denial of service Run-Time Abstraction ServicesSystem p native mode 39 Effective address Machine State Register 41 Block address Segment descriptor DescriptorBlock descriptor Address translation mechanisms 45 Block Address Translation entry Address Translation and access control 47 Block Address Translation access controlPage 48 Page Address Translation and access control Lpar mode Native hardware mode2.4.3 z/VM Guest mode System z Address spaces Address sizesAddress translations 49 System z address types and their translation 51 Address translation modes 52 64-bit or 31-bit Dynamic Address Translation 53 Low-address protection on effective address Memory protection mechanisms Table protection 113 114 56 Key match logic for key-controlled protection Logical address EServer Linear address Effective addressPhysical address 59 Data access privilege checks Access control through type check Page 121 63 Page map level four entry Translation Lookaside Buffers Kernel memory management Reverse map Virtual Memory Support for Numa servers Huge Translation Lookaside Buffers 65 Rmap VM 66 TLB Operation Frame management Remapfilepages Memory area management Process address spaceNoncontiguous memory area management 68 Object reuse handling while allocating new linear address Atomic operations Symmetric multiprocessing and synchronizationMemory barriers Audit components Audit subsystemSpin locks Kernel semaphores Kernel-userspace interface Audit kernel components Filesystem watches Syscall auditingTask structure Audit context fields 71 Task Structure File system audit components User space audit components Configuration Audit operation and configuration options Option Description Possible values Operation Audit record generation Audit recordsKernel record generation Syscall audit record generation 73 Audit Record Generation File system audit record generation 74 Extension to system calls interface Record generation by trusted programs Socket call and IPC audit record generationAudit record format Page Event Description LAF audit events Audit tools Login uid associationKernel modules Auditctl Linux Security Module framework Structure LSM AppArmor module LSM capabilities moduleAppArmor Var/log/boot.msg Rwl Var/run/klogd.pid AppArmor administrative utilities Securityfs AppArmor access control functions 1 I/O virtualization on System z Device driversInterpretive-execution facility State description Hardware virtualization and simulation Character device driver Block device driver Init System initialization System Boot loader Boot methodsBoot process Linuxrc 79 System x Sles boot sequence System p Page System p in Lpar 80 System p Sles boot sequence Etc/sysconfig/init script 81 System p Lpar Sles boot sequence Control program System z 82describes the boot process for Sles as a z/VM guest EServer 82 System z Sles boot sequence 169 83schematically describes the boot process of eServer 170 83 eServer 326 Sles boot sequence Identification and authentication Overview Pluggable Authentication Module Modules Configuration terminology Etc/security/pamenv.conf Protected databases Access control rules Trusted commands and trusted processes11.2.1.1 DAC Agetty Gpasswd Login Newgrp Mingetty 11.3.7 su Passwd Network applications Interaction with auditOpenSSL Secure socket-layer interface 84 SSL location in the network stack Encryption Concepts 87 Encryption Algorithm and Key 88 Asymmetric keys Message digest Message Authentication Code MACDigital certificates and certificate authority SSL architecture SSL handshake protocol 90 SSL Protocol 187 Symmetric ciphers OpenSSL algorithms Certificates Asymmetric ciphersHash functions Secure Shell SSH server daemon SSH client Cups Very Secure File Transfer Protocol daemon Cupsd Ping6 PingOpenssl Stunnel Account Management System managementXinetd Chage Chsh Chfn Useradd User managementUsermod Userdel Groupadd Group management Groupdel Groupmod 202 Other System Management System Time managementDate Hwclock Memory Supervisor mode instructionsMemory separation 13.5.1.3 I/O controller and network System p Star Amtu output 207 13.6 I&A support Batch processing user commandsBatch processing 14.1.2 at Cron Batch processing daemons14.2.2 atd Audit daemon User-level audit subsystemAudit utilities Aureport Audit logs Audit configuration filesAutrace TSF libraries Supporting functions LibraryDescription System call linking mechanism Library linking mechanism System call argument verification Pageoffset Audit Object reuse Discretionary Access ControlSecurity management TSF protection Secure communications Trusted processes TP.4 Testing the TOE protection mechanisms TP.7TSF Databases TP.5 Internal TOE protection mechanisms TP.6 Kernel subsystem file and I/O Summary of kernel subsystem interfacesExternal Interfaces Internal function Interfaces defined Internal Interfaces 1.1.3 External interfaces system calls Kernel subsystem process control and management Kernel subsystem inter-process communication Internal Interfaces Dopipe Kernel subsystem memory management Kernel subsystem networking Internal interfaces Kernel subsystem audit Kernel subsystem device drivers Other functions Kernel subsystems kernel modules Summary of trusted processes interfaces References RSA 234