=====================================
@(#)issues 1.1     02/10/04

Inception issues for 2002/150 Secure Remote Audit Log 10/09/2002

gw-0	Informational:
Tony	[omitted -- no response required.]

gw-1	Where will the syslog audit trail format be described in the man
	pages?  Added to audit.log(4)?

Tony	No, audit_sysudp.5; audit.log now has a cross reference to it.

gw-2	What happens to the syslog audit thread when the disk thread
	has back pressure (file system full)?  Presumably if the
	policy is count, only the disk thread will drop records.  If
	the policy is suspend, both threads will be affected.  Is this
	detail documented for the customer?

Tony	The discussion of blocking / non-blocking is in the
	auditconfig man page; I updated it to cover the plugin
	case.

	I agree in the case of the policy "count" being set -- I
	should continue outputting on any non-blocked thread and that's
	covered in the new audit_plugin(3BSM) man page.

	In the blocking case, this project adds a thread that does not
	block; the presumption is that if the policy is to block then
	if any thread is blocked, all threads are blocked, including
	those that don't provide backpressure such as UDP.  (My answer
	assumes the future case where UDP is replaced with a reliable
	mechansim.)  The audit_plugin(3BSM) man page describes this
	blocking behavior.

gw-3	How will misconfigurations of audit_control loghost:
	loghostexcl: be reported?

Tony	"loghost" has become "plugin" and "loghostexcl" is gone;
	"plugin" expects arbitrary positional parameters following the
	plugin path name.

	The current situation is less than ideal.  The audit flags are
	read by login, ftpd, sshd, and other programs and daemons that
	do user authentication and set audit characteristics.  In each
	case, a failure to parse results in no error message and no
	audit flags being set.  If an administrator is curious why no
	audit records are being generated, running "auditconfig
	-chkaconf" or " -chkconf", will generate an error message.

	The specification of audit directories for file output is
	validated not by auditconfig but by auditd, which outputs an
	error message to stderr if audit_control is missing and calls
	audit_warn() in the case of a parsing error.  However auditd
	does not validate the listed directories -- it leaves that to
	its logic for finding available log space and later will
	output warnings via audit_warn.  It would be more friendly if
	audit(1M) were to validate the directory parameters before
	signalling auditd to read audit_control; I have made this
	change and have included a man page for audit(1M).  Since this
	"friendly" approach doesn't cover the case of boot time, the
	current auditd validation and error handling will be retained
	as well.

	The new code in audit(1M) checks syntax, not content, so it is
	still possible to use correct syntax to configure non-existent
	directory or plugin paths; this test is still done only in
	auditd.
	
gw-4	Why is adt_xmludp.so unstable?  Perhaps its output format is
	evolving and content unstable?

Tony	The plugion API is Contracted project private and the output of
	the audit_sysudp.so plugin is unstable for the format and
	unstable for the content.  I've updated the 20Questions and
	the spec to make this more clear.  The audit.sysudp.5 man page also
	reflects the output stability and the new man pages for
	audit_sysudp and audit_plugin (The SPI doc) echo this
	information.

gw-5	What happens with the syslog records if the loghost is not a Solaris
	syslogd?  Will they still have the same (after syslogd processing)
	format?

Tony	(loghost is now plugin) If the syslogd implementation is
	consistent with BSM syslog as described in RFC3164, the data
	as recorded will appear the same as on Solaris; the message
	and most of the header are formatted by the sender.  Tests
	with the Linux syslogd show that the "standard extension" of
	following the standard header with a "[...]"  section is
	correctly represented even though Linux syslog calls don't
	generate this section.  No tests have been done with other
	than the Linux and Solaris implementations.

gw-6	In order to take into account a potential (future) ability to have
	multiple loghost: lines, please find a way to specify the exclude
	flags relative to the loghost line or plugin filter.

Tony	OK.  See the updated audit_control.  I've changed loghost to
	plugin.  See the new audit_sysudp man page.

gw-7	For commitment when the SPI is described, will there be a way
	to associate a 3rd party plugin other than through the loghost:
	line?  If not, it may be misnamed.

Tony	Assuming you mean "loghost" by "it", I think you mean that the
	SPI is to be used for a plugin but there is no remote host to
	define.  I changed to the new "plugin" name as described in
	the updated audit_control man page and have removed the remote
	host parameter.

gw-8	Need to document the loghost: library such that it is either an
	explicit path, or the path prefix is implied.  As auditd is presently
	32 bit, perhaps a syntax like pam.conf $ISA may make sense if auditd
	would ever become 64 bit.

Tony	OK.  The new name, plugin, is described in audit_control for
	the case of a fullpath and a relative path.  $ISA is also
	described.

wes-0	The name "Secure Remote Foo" implies to me that the remote part is 
	somehow secured; however, the regular insecure syslog protocol 
	is used..

Tony	The ability to store the audit log on a remote system is the
	only security claim.  More specifically, that the data can't
	be deleted or altered after it is recorded is the security
	improvement here compared to the current file (including NFS)
	log mechanism.  I agree that the use of UDP and syslog is a
	less than ideal mechanism for creating such a remote log and
	that syslog UDP has a number of weaknesses that can be
	exploited to keep audit data from being recorded (DOS) or to
	record false data.  The introduction of the specification
	defines what is meant by "security" and includes caveats about 
	communications, so I don't see a need to make any changes in
	response to this issue.

wes-1	Is the "sylog" in 20q and elsewhere a typo for "syslog", or 
	is it something else?

Tony	typo, fixed in 20 questions, not found elsewhere.

wes-2	would be helpful to see a few fully formed xml-syslog
	messages.

Tony	ok, but no longer XML (audit_sysudp.5 man page).

wes-3	how likely is it that XML-encoded audit records won't fit within the
	1024-byte syslog record limit?  Is the xml encoding arranged to put
	"more important" stuff first?

Tony	The use of XML has been dropped due to the objection to using
	syslog for machine parsable data and the new format is limited
	to the 1024 byte limit as described in the updated
	specification.  The answer to your question, however is that
	it is very likely in a few specific cases -- the record for
	crontab, the record for exec if certain audit policies are
	turned on -- and possible in other cases where path names can
	be very long.  The proposed (now rejected) design accounted
	for this by providing a mechanism for multiple line entries.

jdc-1	syslog(3C) is an old and well-understood (if crufty)
	interface.  Why are we extending it now to use programmatic
	(XML) data rather than the human-readable text it once
	conveyed?  Since when is unreadable gorp in syslog a good
	thing?

Tony	Point is moot.

jdc-2	Since UDP messages are trivially spoofed, and since syslog
	includes no reliability features (no retransmission on packet
	drop), where's the "secure" in using syslog?

Tony	See wes-0

jdc-3	Isn't the potential of a lost audit record a security problem?
	If I'm attacking the system, wouldn't I just flood the log
	server to keep my attack a secret?

Tony	yes.

jdc-4	Shouldn't implementing RFC 3195 ("Reliable Delivery for
	syslog") be part of this case?

Tony	(Echoing discussion at the meeting) My investigation into this 
	proposed standard ("Secure Syslog") convinced me that 1/ it
	does not have a high probability of acceptance, 2/ while
	secure, it seems to be a questionable kitchen sink full of
	ideas and compromises.  I think Sun should pay attention to
	developments in this area.  My use of syslog(3C) ensures that
	the work I'm doing will be automatically picked up for any
	syslog protocol changes.

=====================================
off line from Ralph, before inception
=====================================

Some questions:

Ralph	What happens if the audit log message is bigger than the
	syslog message size limit?

Tony	The most significant data is placed at the beginning of the line
	and file path and arbitrary text data is truncated if necessary.

Ralph	Is the use of UDP OK? Are lost messages OK?

Tony	The customers say yes.

Ralph	Is the syslog format of the audit records (XML) Unstable?
	I would think it needs to be Committed Private or Evolving since
	software on a node generating the messages and the software receiving
	and reducing them could be different and can't easily be upgraded at
	the same time.

Tony	Yes, unstable.

Ralph	I didn't see this explicitly listed in 20Q13 in the exported interfaces
	and it probably should be.

Tony	done.


=====================================
Promises during inception to be be delivered during commitment
=====================================

	The new man page describing the plugin interface is
	audit_plugin(3BSM).  This man page will not be delivered.

	The delivered implementation plugin man page is
	audit_sysudp(5)

=====================================
Changes made during pre-commitment review
=====================================

"loghost" (in audit_control) is now "plugin" with new semantics.

$ISA is fully interpreted in parsing audit_control