Secure Audit System Based On LSM

The security of operating system plays an important role in building robust computer systems.Moreover,the security of operating system is dependent on the secure auditing system.There are two kinds of audit system,one is the auditing capability of the operating system,and the other is specific audit system provided by the third-party softwares.Auditing of operating systems can provide more fine-grained audit function, which can be inserted into the system kernel,but it mainly uses passive and non-real-time auditing mechanism with less controllable of audit granularity and poor reliable of audit logs.The third-party softwares mainly audit operations of applications,which has coarse-grained,poor security and portability.To sum up, existed auditing systems can be improved in four aspects:portability,real-time,log management,self-security.A real-time,secure,effective audit system based on LSM,LSAS,is designed and realized in this paper.Main tasks and achievements are as follows.1 Enhancing LSM in auditing capability.Security domain of process task structure in operating systems is pointed to the specified data structure,in order to enhance auditing capability.Audit hooks and hook functions are added to capture comprehensive audit information.Futhermore,registered functions and unregistered functions are provided to implement dynamic addition and deletion of security audit modules.2 Buffer with double-linked list structure is designed to solve easy lost of audit information and buffer overflow.The PV operating principles of operating system are learned to solve the synchronization of processes.3 Normal activities rule base,RVA,and its dynamic response algorithm are presented.And real-time security warning and punishment mechanisms are achieved by constraint control algorithmm,and the set of warning threshold and punish threshold.4 Audit log data structure based on standardization and efficiency is designed. And five kinds of basic query are provided,which are query-by-username, query-by-time,query-by-objects,query-by-error,query-by- operator;meanwhile, composite queries can be allowed.5 The least privilege management technology,multi-level security technology and validation technology of logs are applied to ensure safety of audit system.6 The width,the switching time of processes and system call time are tested in the LSAS.And the suecrity of LSAS is tested by the attacks of sendmail in Linux. The results show that the LSAS has effective performance and fine security.