Design And Implementation Of Secure Auditing System In Operating System

Audit is a kind of security technology that can enhance system security by checking auditing trails after attacks. It's an important part of secure operating system. Nowadays, a lot of secure operating systems have auditing function, and there're many individual auditing systems. According to current research status, auditing system need to be improved in four aspects: the effect to kernel, auditing content, security of audit and the management of auditing record files.We bring out a new method to implement auditing system by extending LSM framework and inserting auditing hooks into kernel. In this way, a secure kernel-level auditing subsystem, which is based on Linux and accords with the fourth level requirements of the National Standard of China, is designed and implemented, and its performance is analyzed.Main achievement of the thesis is as follows: Firstly, with the analysis of auditing demand and the consideration of kernel updating, to build a auditing system by extending LSM framework is presented. We added new auditing hooks into LSM framework, and with the analysis of 85 system calls, we found 290 inserting point of hooks in kernel. These hooks are the interface to collect auditing information and manage auditing record. Secondly, based on the new auditing hooks in kernel, the design and implementation of an auditing module are presented, and several key problems are discussed. Thirdly, a new method that provides user level auditing interface by extending the function of system call "syslog" is proposed. Fourthly, by cooperating with other parts in secure operating system, such as MAC and DAC, the security of auditing system is guaranteed. Fifthly, the management of auditing record files and the system performance is discussed.The idea put forward in this paper intends to open a new approach to build auditing system. The effectiveness of this approach is proved by practical system. As far as availability, auditing system provides functional user managing tools, including auditing configuration and auditing checking GUI tools and some shell commands.