Research And Design Of The Audit System In A 4～(th) Security Operating System

This thesis focuses on the design and implementation of effective audit.With the rapid development of information technology and Internet, we pay more and more attention to the security of system and internet. Nowadays, operating system becomes more complex and various vulnerabilities may exist. These all may be made use of by hackers as well as some man-made reasons. As one of the main parts of the security operating system, audit mechanism is very important.The audit system in a security operating system works by means of recordings check and examine the actions involved in security. The main purpose is to examine and hold back the penetration of the users not authorized to use a computer system or resources, and to display the misuse of the authorized users. And as a important technique to intrusion detection, audit analysis become the focus of the audit communities.Most automated packages for intrusion detection focus on determining if a collection of audit data is suspicious. Package developers assume that the System Security Officer will combine the results of their tools with a careful inspection of the logs to determine if indeed there is evidence of intrusive activity. As a result, very few methods have been developed to browse the raw audit trails.Firstly, this thesis presents the design and implement of the audit system in the Linux 4th level security operating system. Based on the 3rd level security operation system, this audit system is improved by adding mechanism to deal with the full of audit trails and to analysis the audit trails. Accordingly, the audit system meets the operating system technology requirement in computer information system security protection.Then this thesis presents a new approach to browse the raw audit trails. By treating conceptual entities in an audit trail as objects, a framework for observing how entities interact can be developed. All of the records of interest are first scanned to determine the objects and actions of interest. During this initial scanning phase, the objects are interconnected based on how each affects the other, much like a directed graph. The vertices and edges represent the objects and actions respectively. Then, by focusing initially on one object of interest, a System Security Officer can quickly determine how that object affected or was affected by any other object by noting the direction and type of edge connecting the nodes.An initial prototype program was produced and focused on the Linux operating system model, and was fairly successful in following entities in the audit trail. Later efforts tried to extrapolate the model to more general computational systems.