		AUDIT FAQ 
		~~~~~~~~~

1	What are audit and auditd ?
2.1	What are audit modules ?
2.2	What are the authentication modules ?
2.2.1	What is the RAW authentication module ?
2.2.2	What is the SRP authentication module ?
2.3	What are IA (information accessing) modules ?
2.3.1	What is the SYSLOG IA module ?
2.3	What are ATTRIBUTE modules ?
2.3.1	What is CLASSIC attribute module ?
2.3.2	What is PEO attribute module ?
2.3.3	What is MYSQL attribute module ?
2.3.4	What is PGSQL attribute module ?
2.3.5	What is REGEX attribute module ?
2.3.6	What is TCP attribute module ?
2.4	What are resources modules ?
2.4.1	What is LOCAL resource module ?
3	Can I use audit and modular syslog together ?
3.1	Can I use audit to automatically retrieve logfiles from remote
	machines ?
3.2	Can I use audit to check the integrity of logfiles ?
3.3	Can I change the current msyslog-peo key using audit ?
3.4	Can I change the current [m]syslog configuration file using audit ?
3.5	Can I use audit to audit logs centralized on a remote secure machine ?




1	What are audit and auditd ?

    Audit client and auditd server are two programs that allow together
remote systems logs auditing; the auditor uses the client to connect to
the remote host where the server is listening; once logged in, he can
execute a set of commands for administrative tasks or logs-auditing
related work.
For administration purposes, there exists two kinds of commands:
	o User administration commands:
		o Create
		o Remove
	o Resources administration commands:
		o Set
		o Remove
		o Find

User administration commands allows managers to create new users (auditors)
or remove existing ones.
Resources administration commands allows managers to create, modify, remove,
and examine each user permissions (an other status values).

There exists other six commands for auditing purposes:
	o List
	o Info
	o Get
	o Zap
	o Rotate
	o Sign

they are called "Information Accessing commands".
List command shows a list of available logfiles (it doestn't means that
the auditor is able to examine their contents).
Info command retrieve information about a specified logfile.
Get command retrieve both information and logs data from a specified logfile.
Zap command trucantes a specified logfile; this command only erases those
logs that has been downloaded using the Get command.
In the case of logfiles placed on disk files, the Rotate command compress
(using gzip) a specified logfile; this command only compresses those
logs that has been downloaded using the Get command.
Sign command is used by auditors to sign those logs that has been
audited (it is not implemented yet).

The client/server session can be encrypted.



2.1	What are audit modules ?

    The audit system has a modular architecture, several custom
authentication, information accessing, and resources modules can be
used; they are implemented as shared libraries.



2.2	What are the authentication modules ?

    When a connection between a client and the server is established,
the client should log in using any authentication method. The login
process is controlled by the authentication module.
This module is the responsible to enable the compression/encryption
of subsequent data transfers.



2.2.1	What is the RAW authentication module ?

    The raw authentication module uses the native login method on the
host where the server is running. The user should have a valid account
into that server operating system, and should belongs to the ``audit''
group. Unfortunatelly this module does not compress nor encrypt any data
transfers between both parties, allowing an eavesdropper to steal user
password and logs, she will be able to impersonate the auditor's identity.



2.2.2	What is the SRP authentication module ?

    The srp (secure remote password protocol) authentication module is
the implmentation of a password authentication and key-exchange protocol
proposed by Thomas Wu at the Standford University <tjw@cs.Standford.EDU>.
The SRP homepage is at http://www-cs-students.stanford.edu/~tjw/srp/.
Both sides (client and server) are mutually authenticated, then,
all data transfer between both parties are compressed and encrypted using
blowfish-cbc and the exchagned key. The current SRP implmementation does
not follows the RFC2945.

An SRPPass resource should be created on the remote host ``by hand'' to
be able to use this module for a first time. The contents for this
resource is the output of the srpp.c program located under the
src/modules/auth/srp directory on the source code distribution of audit.
If you are not able to access or compile this program, the following can
be used as a first login password:
	    [ SRPPass ]
		\85\2F\7A\2E\2A\40\AF\AC\24\FE\03\1D\40\85\AD\EA
		\EE\2A\08\8A\BC\0E\7E\14\F2\B4\11\9C\1D\6A\2E\91
		\DC\3D\F2\A6\87\A6\4A\D6\62\2F\EB\0C\89\DA\23\A5
		\A3\55\BC\36\3F\11\86\39\C3\6F\09\85\FC\2D\2F\AA
		\E7\AF\50\1B\EB\14\F0\EF\01\ED\31\95\E3\70\D1\AE
		\B6\10\F3\62\86\AA\61\AF\09\B4\30\80\B8\70\01\4A
		\D7\D6\E1\CA\20\A1\C8\2F\95\0B\0F\F4\4D\55\19\55
		\00\E9\CB\0C\39\9F\80\9A\29\3D\03\00\5C\CE\DD\B9
		\36\37\93\87\9D\A2\22\1C\3C\23\38\5C\56\D4\52\6B
		\9D\EA\23\65\7C\84\41\46\40\B5\59\D9\C9\3D\03\80
		\68\B5\79\CC\CC\99\5C\4E\73\AA\BD\1B\FF\23\85\AD
		\DA\26\CD\AC\29\68\C6\C8\30\A2\AD\5E\EC\B1\89\47
		\F3\84\8B\F0\42\33\01\2B\51\F3\AD\CB\6A\A4\D5\0C
		\D9\8C\1D\B8\D3\0A\3C\78\AC\3A\8F\F9\E8\87\DB\8B
		\A7\53\B1\E0\A1\D0\CA\55\A6\7D\F0\E5\E2\DC\B8\CA
		\47\C3\80\75\9B\75\EE\67\D0\0C\36\1F\70\D0\6D\51
		\80\EC\D9\23\D7\62\25\50\A7\82\70\27\E4\FC\EB\0E
		\75\C4\E5\CF\BE\59\84\1F\FF\DE\F4\5A\8A\59\9F\9C
		\B8\2E\51\8C\42\BC\48\9C\97\BD\F2\F7\E0\EE\34\E2
		\35\06\43\DF\B5\8F\07\75\BA\51\79\46\87\B3\03\B6
		\32\98\F1\99\84\17\58\CF\7E\03\A8\71\84\ED\B7\0B
		\0A\33\BB\CD\FC\B9\08\0C\98\00\03\8B\76\20\C9\70
		\32\7A\46\84\26\3E\80\00\51\22\84\E0\B4\FA\D8\6C
		\FC\92\28\12\CA\03\AA\80\17\44\79\CB\BD\FE\81\35
		\57\DD\6C\D6\8C\48\42\C1\AD\CB\8A\85\54\0D\CD\45
		\8A\B7\8B\57\8A\EF\83\3F\85\1A\A3\1C\09\0B\D2\17
		\BA\BE\B7\51\A5\5A\1D\FB\5C\3D\E8\C6\05\40\1E\F3
		\E4\F0\0C\F0\BF\46\24\85\B8\FC\53\E9\F7\FB\4C\AF
		\EA\5C\2C\54\47\E0\F4\C2\9F\FC\80\9F\B0\E3\CB\7A
		\32\C1\6C\DA\C8\4D\35\9D\2B\C6\72\C5\70\0F\70\40
		\8B\80\5E\13\4F\05\C1\82\D1\6D\60\60\B8\1B\B3\51
		\0C\A6\77\BB\8C\82\E5\E5\CE\48\79\EB\C7\F5\B2\D3

With the above, the srp login password is: "change_this_password_now".



2.3	What are IA (information accessing) modules ?

    The IA (information accessing) modules allows the 'access to' and
'working on' different sets of logfiles.
There exists two types of IA modules:
	o IA modules (the name is due to historical reasons)
	o Attribute modules

In the following lines, when we refer to the IA module we are talking 
about the first type, otherwise the attribute word is used.

The IA module interacts with the entity that generates a given set of
logs (examples of those entities are syslogd, httpd, nt event logger, etc)
The first thing an auditor should do is to specify the type of logs that
he wants to audit (if going to audit apache logfiles, then any APACHE IA
module should be specified before being executing any IA command -list,
info, get, zap, rotate, sign-).
The IA module creates a list of all logfiles generated by the entity (Ex.:
in the case of syslog this is done by parsing its configuration file).
When an auditor executes the ``list'' command, he will see only those
logs he is able to see and not the complete list.  If this command is
executed before specifing any IA module, a list of them is printed instead.

The Attribute IA modules characterize each logfile itself and there can
exists more than one attribute per logfile.
Examples:
	o If using modular syslog logging to a postgresql database, then
	  the PGSQL attribute module is associated to that logfile.

	o If using modular syslog logging to a logfile on disk and applying
	  the PEO protocol, http://www.corest.com/pressroom/ \
	  advisories_desplegado.php?idxsection=11&idx=85, then two attributes,
	  CLASSIC and PEO will characterize that logfile, the first one
	  is associated to the logs, and the second one to the PEO
	  (and PEO-L) status.

From the sever's point of view, a logfile is nothing else than a list of
attributes.
The ``info'' inforamtion accessing command shows information created by
each attribute module.



2.3.1	What is CLASSIC attribute module ?

    Is the attribute associated to standard syslog logfiles.



2.3.2	What is PEO attribute module ?

    Is the attribute associated to modular syslog v1.xx logfiles where the
PEO protocol is used to ensure the logs integrity.
Refer to the PEO paper for more information about that protocol:
http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=11&idx=85



2.3.3	What is MYSQL attribute module ?

    Is the attribute associated to modular syslog v1.xx logfiles stored into
a MySQL database.



2.3.4	What is PGSQL attribute module ?

    Is the attribute associated to modular syslog v1.xx logfiles stored into
a PostgreSQL database.



2.3.5	What is REGEX attribute module ?

    Is the attribute associated to modular syslog v1.xx logfiles, it gives
information about the kind of data sorted on a particular logfile.



2.3.6	What is TCP attribute module ?

    Is the attribute associated to modular syslog v1.xx logfiles, it says
that the modular syslog is sending logs to a particular host where exists
another modular syslog or similar waiting for such information.



2.4	What are resources modules ?

    All users (auditors) permissions and status, as well as internal
server data is stored on a resources database; each resource is a
name-value pair that contains any kind of data.
When an auditor is logged in, the server loads the users's database and
it remains in memory until he logs out.
The resources module is the responsible to load and save the resources
from/to a storage in a way completely independent from the server.



2.4.1	What is LOCAL resource module ?

    The local resources module is a module that stores the resources
database on a human readable and edibale text file. There exist one
file per auditor and all of them are placed by default under
/var/alat/resources.



3	Can I use audit and modular syslog together ?

   Yes. You can use audit to audit modular syslog logfiles.



3.1	Can I use audit to automatically retrieve logfiles from remote
	machines ?

    Yes. If you're using *nix systems you can configure your crontab
to execute scripts that use audit to retrieve logs from remote systems.
This schema allows also logs centralizaing on a secure host where audit
client runs.



3.2	Can I use audit to check the integrity of logfiles ?

    Yes, but only if you're using modular syslog and it's PEO output module.
    Others methods are allowed but the apporpiate custom msyslog output
    module and audit IA and attribute modules should be created.
    


3.3	Can I change the current msyslog-peo key using audit ?

    You can't change the current key by another random one but that you
can do is to use propagated peo keys. That is:
Suppose you are using modular syslog and applying PEO on /var/log/messages
logfile. then:
	1. Connect (using audit and its -o option) to the remote host and
	   retrieve /var/log/messages logfile.
	2. After step 1, both, the logs and the peo key files are saved on
	   a directory (specified by the -o option); on that directory
	   the initial (secret) peo key should also reside.
	2. Use the peochk(1) modular syslog's utility to check the file
	   integrity.
	3. Connect (using audit) to the remote host and rotate or zap
	   the logfile.
	4. The peo key file donwloaded in step 2 will be the initial key
	   the next time you start at point 1.



3.4	Can I change the current [m]syslog configuration file using audit ?

    Audit v1.0 does not allow that. This feature will be added in future
audit releases.



3.5	Can I use audit to audit logs centralized on a remote secure machine ?

    Yes, but you should use a custom IA module or configure the syslogd
running on the secure host with the names of the centralized logfiles; in
that case care must be taken to ensure that syslogd will not overwrite
those logfiles.
Future versions of audit will solve this problem.


$CoreSDI: FAQ,v 1.9 2001/12/12 20:35:02 claudio Exp $

