Research And Implementation Of The Security Audit Subsystem

The research and development of secure operating systems have a history of more than 30 years, and acquire great achievement on security model, access control and identity authentication etc. All those have extraordinarily enhanced the security of operating systems. As a part of the security mechanism, audit is a very important content in secure operating system, it provides the particular and reliable support for the recording the event of system, locating and querying the causation for the accidents, predicting before the occurrence of accidents and real-time process after occurrence of accident.However, there are a good many deficiencies in the technology of audit at now. For example, there are some audit systems such as the system of logging and accounting in the main stream UNIX operating system., these user-model audit system don't accord with the requires of security of the time. There are some deficiencies in these systems such as the coarser granularity, can not audit the system calls, can not real-time audit. So some researchers have proposed the schema of kernel audit and developed UNIX kernel-based architecture audit tools recent years. Butbecause the traditional UNIX operating systems have a fatal deficiency--it dosenot implement the independence of audit-administrator, that results in the configuration data and log data of audit will be crash easily. In additional, the mechanism of this audit will worsen the system performance. To get over these deficiencies and meet the require of security audit Kylin operating system, we must design the security architecture from the view of whole and embed the audit system into the architecture allover.This paper proposes the host-based Kylin audit framework on the basis of the research archived. The basic idea is design and implement the audit subsystem on the basis of that add the Mandatory Access Control,separated of three privilege(fined the root privilege to system-administrator security-administrator,audit-administrator), and move the audit system to kernel, and combine the Access Control Policy on the basis TE(Type Enforcement) to protect audit configuration and log data.The design principle and concrete implement of this system is combine kernel audit thread with kernel audit module, the responsibility of kernel audit module is to collect the information about system calls, the responsibility of kernel thread is to write audit data to disk file. This mechanism can audit all of the event relative security, for example: user login, file opened, program executed, file attributes changed, the operation of security and audit administrator, so the audit system can provide the precision information of event for user, and it don't changed the kernel data structure of Kylin operating system. And the audit system can update and maintain all alone. Moreover it can make use of the friendly graphic tools to analysis audit data, and implement uniform interfaces in the kernel and user space on the basis of XML files, these interfaces attain the function similar to Windows Registry, so we can configure the event of require to audit. At last, the system passes the performance test, it has only 5-10% spending under the situation of high load and all audit. This result can prove that this audit system has low spending when running and it has little effect on performance.