Saltar a contenido

Week 20 - Audit, Integrity Measurement, and Compliance

20.1 Conceptual Core

  • The Linux audit subsystem (auditd) generates structured logs of security-relevant events: syscalls, file access, login attempts, privilege escalations.
  • IMA/EVM (Integrity Measurement Architecture / Extended Verification Module) hashes files at access time and optionally signs them; integrates with TPM for attestation.
  • CIS benchmarks and STIGs are industry-standard hardening checklists. openscap and lynis automate auditing.

20.2 Mechanical Detail

  • auditctl configures rules at runtime; /etc/audit/rules.d/*.rules for persistence. aureport, ausearch for querying.
  • A reasonable baseline rule set: log every execve, every open failure on /etc/passwd//etc/shadow, every change to auditd config itself, every privilege escalation.
  • IMA: ima_policy="appraise_tcb" kernel parameter. Measures executables; with EVM, signs metadata.
  • Compliance scanning:
  • lynis audit system for a quick local audit.
  • openscap (oscap xccdf eval) for SCAP-based formal benchmarks.

20.3 Lab-"An Audited Host"

  1. Configure auditd with a baseline ruleset.
  2. Trigger expected events (failed su, edit of /etc/passwd); verify logs.
  3. Run `lynis audit system - record the score and address the top 5 findings.
  4. (Optional) Boot with IMA enabled; measure the impact on boot time and observe /sys/kernel/security/ima/ascii_runtime_measurements.

20.4 Hardening Drill

  • Ship an idempotent provisioning playbook (Ansible/shell) that applies CIS baseline tunables: disable unused services, set umask 027 for system accounts, limit at/cron to admins, etc.

20.5 Performance Tuning Slice

  • Audit logging at high syscall rates is expensive. Measure log volume; rate-limit chatty rules with - Ffilters or move toaudisp-remote` to ship off-host.

Month 5 Capstone Deliverable

A security-and-hardening/ directory: 1. mac-profiles/ - SELinux + AppArmor for the echo service. 2.cap-seccomp/ - minimum-capability + seccomp-policy template. 3. luks-tang/ - fully encrypted volume with network-bound auto-unlock. 4.audit-baseline/ - auditd rules + a `lynis - validated host playbook.

A THREAT_MODEL.md for the example service: assets, attack surfaces, mitigations.

Comments