forked from bengheng/DeGap
-
Notifications
You must be signed in to change notification settings - Fork 0
Computes permission gaps from logs.
License
cheewill/DeGap
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Description =========== DeGap is a tool that computes permission gaps. Its core uses a Python plugin framework and currently has three types of plugins implemented for Sshd, Auditd, and User Groups. The scripts are found in "scripts/DeGap/". For Sshd, DeGap uses authorization logs (commonly /var/log/auth.log*) to extract the SSH access information. For Auditd and User Groups, they use the same set of auditd logs. In addition, they require file metadata information. You can run "scripts/utils/get-file-stats.py" on the subject machine to extract the information. The script takes in a list of files, and outputs another file with the metadata containing the following information concatenated with '|'. 1. Full path 2. File extension 3. Number of files in same directory with same extension (currently unused) 4. File type 5. Number of files in same directory with same type (currently unused) 6. File mode 7. File UID 8. File GID There is also a patch in "src/kernel" that modifies auditd to remove duplicated auditd entries. Duplicated entries are those that have the same fields that are required for DeGap to function properly. Fields, such as timestamps, are not necessary. Removing duplicated entries is not really necessarily for DeGap to work, but rather for performance improvements. For User Groups, DeGap also requires the "/etc/passwd" and "/etc/group" files from the target machine. Please read the accompanying paper for more information. Note that the tables in the database may differ. For example, Principal in the database corresponds to Subject, Operation corresponds to Right, and Resource corresponds to Object. Prerequisites ============= I try to list some of the prerequisites that I had to install for my system. However, your system may have other required components missing. 1. Python 2.7.3 with pyparsing 2. libaudit-dev Examples ======== These examples by no means demonstrate all the capabilities of DeGap. Rather, it shows you how to quickly get DeGap up and running so that you can explore the other features. [SSHD] Pre-requisites from target machine: a. Authorization log files placed in "test/sshd/authlogs/". b. SSHD configuration file, sshd_config, placed in "test/sshd/". 1. Change directory to "test/sshd". > cd test/sshd/ 2. Extract only SSHD log records from authorization log files into sshd.log. > grep -h "sshd\[[0-9]*\]" authlogs/* > sshd.log 3. Make sure the value for inlog in config.ini is sshd.log. 4. Use DeGap to parse logs. May take a while. > ../../scripts/Degap.py parse-logs 5. Place "filenames.dat" and "scripts/utils/get-file-stats.py" onto the target machine and run "get-file-stats.py". It takes "filenames.dat" as input and generates "filemeta.dat". The file contains metadata information about files accessed during the monitoring. [on target machine] > get-file-stats.py -i filenames.dat -o filemeta.dat Copy "filemeta.dat" back to "test/auditd/". An example "filemeta.dat" is included. 6. Use DeGap to compute granted permissions. > ../../scripts/Degap.py compute-grperms 7. Use DeGap to automatically restrict permissions. > ../../scripts/Degap.py restrict-auto [AUDITD] Pre-requisites from target machine: a. Auditd log files placed in "test/auditd/auditlogs/". 1. Change directory to "src/auditd-parser/" and compile parser. > make 2. Change directory to "test/auditd/". > cd ../../test/auditd/ 3. Copy sample "config-auditd.ini" to "config.ini". > cp config-auditd.ini config.ini 4. Run DeGap to parse logs and generate file "filenames.dat". Another file "strhash.txt" mostly used for debugging purposes is also generated. This is because strings are actually stored in their hashed forms and it gets really hard to step through the code. > ../../scripts/Degap.py parse-logs 5. Place "filenames.dat" and "scripts/utils/get-file-stats.py" onto the target machine and run "get-file-stats.py". It takes "filenames.dat" as input and generates "filemeta.dat". The file contains metadata information about files accessed during the monitoring. [on target machine] > get-file-stats.py -i filenames.dat -o filemeta.dat Copy "filemeta.dat" back to "test/auditd/". An example "filemeta.dat" is included. 6. Use DeGap to load metadata. > ../../scripts/Degap.py load-metadata 7. Use DeGap to load configurations. > ../../scripts/Degap.py load-configs 8. Use DeGap to compute granted permissions. > ../../scripts/Degap.py compute-grperms 9. Use DeGap to automatically restrict permissions. > ../../scripts/Degap.py restrict-auto [User Groups] Pre-requisites from target machine: a. "/etc/passwd" and "/etc/group" files. Examples are included. Note: Computing user group permission gaps makes use of auditd logs, so we need to use the auditd plugin to parse the logs first. So, Steps 1 to 6 are similar to that for auditd. 1. Change directory to "src/auditd-parser/" and compile parser. > make 2. Change directory to "test/auditd/". > cd ../../test/auditd/ 3. Copy sample "config-auditd.ini" to "config.ini". > cp config-auditd.ini config.ini 4. Run DeGap to parse logs and generate file "filenames.dat". > ../../scripts/Degap.py parse-logs 5. Place "filenames.dat" on target machine and run "scripts/utils/get-file-stats.py" to generate "filemeta.dat". The file contains metadata information about files accessed during the monitoring. Copy "filemeta.dat" back to "test/auditd/". An example "filemeta.dat" is included. 6. Use DeGap to load metadata. > ../../scripts/Degap.py load-metadata 7. Copy sample "config-users.ini" to "config.ini". This will overwrite the earlier config.ini. > cp config-users.ini config.ini 8. Use DeGap to load configurations. > ../../scripts/Degap.py load-configs 9. Use DeGap to compute granted permissions. > ../../scripts/Degap.py compute-grperms 10. Use DeGap to automatically restrict permissions. > ../../scripts/Degap.py restrict-auto Licensing ========= This program is released under the terms of the GNU General Public License (GNU GPL). You can find a copy of the license in the file COPYING. Contact ======= For any questions or feedbacks, please contact: Beng Heng Ng (bengheng@gmail.com) Atul Prakash (aprakash@eecs.umich.edu) We value all feedback and will try to answer your queries. However, we seek your understanding that sometimes, due to resource constraints, our replies may take longer than we would prefer.
About
Computes permission gaps from logs.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C++ 37.4%
- Python 33.5%
- C 29.0%
- Shell 0.1%