The Audit Kernel Object feature dictates whether the operating system records audit events when users try to access the system kernel, encompassing mutexes and semaphores. Security audit events are generated exclusively for kernel objects with a corresponding System Access Control List (SACL). Typically kernel objects are only given SACLs if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
What are kernel objects?
Kernel objects are fundamental building blocks within the operating system that represent and manage system resources, such as processes, threads, files, memory sections. They provide a consistent way for drivers, applications, and other system components to interact with these resources in a controlled and secure manner.
What is object audit
In the context of the kernel, object auditing refers to the process of tracking and logging access and modifications to kernel objects.
Where are kernel objects stored?
Kernel objects, such as mutexes and semaphores, are managed and stored within the kernel space of an operating system. The kernel space is a protected area of the operating system’s memory that is reserved for core system functions, including the management of system resources, processes, and hardware interactions.
The exact location and organization of kernel objects depend on the specific operating system. In general, the kernel maintains data structures in its memory space to represent and manage kernel objects efficiently. These data structures contain information about the attributes, status, and ownership of each kernel object.
Audit Kernel Object is vulnerable to what type of attacks?
Here’s a summary of vulnerabilities that have been discovered in Audit Kernel Object functionality, along with potential consequences
- Insufficient Auditing:
Attackers could exploit this lack of visibility to covertly compromise systems and tamper with sensitive data without leaving a clear trail.
2. Privilege Escalation:
Attackers could leverage this to bypass security controls, install malware, steal sensitive information, or disrupt system operations.
3. Audit Log Tampering:
This could prevent the detection of security breaches and impede incident response efforts.
4. Resource Exhaustion:
This could impact system availability and responsiveness, negatively affecting user experience and critical operations.
5. Privacy Concerns:
Consequences: This could lead to data breaches or unauthorized access to sensitive information if logs are not properly secured.
Key Benefits of Kernel Object Auditing
If audit settings are not configured, it can be difficult or impossible to determine what occurred during a security incident. However, if audit settings are configured so that events are generated for all activities the Security log will be filled with data and hard to use. Also, you can use a large amount of data storage as well as adversely affect overall computer performance if you configure audit settings for a large number of objects.
If failure auditing is used and the Audit: Shut down system immediately if unable to log security audits setting in the Security Options section of Group Policy is enabled, an attacker could generate millions of failure events such as logon failures in order to fill the Security log and force the computer to shut down, creating a Denial of Service. If security logs are allowed to be overwritten, an attacker can overwrite part or all of their activity by generating large numbers of events so that the evidence of their intrusion is overwritten.
Why is it important to harden Audit Kernel Object?
Experts say if no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.
It is critical to harden the auditing of kernel objects due to the kernel’s fundamental role in system operation and security. The kernel essentially has unlimited access to all processes, memory, system resources, hardware drivers, and data. Hardening kernel auditing provides much needed visibility and monitoring over this broad access.
Detailed, tamper-proof kernel logs make it possible to establish baseline patterns of activity so that abnormal usage stands out. This allows organizations to detect malicious processes, anomalies from compromised insiders, or exploits much faster. Threat actors also routinely target the kernel to gain persistence and control.
Robust kernel auditing serves as a key deterrence, increasing the likelihood malicious events will be discovered. In essence, comprehensive protection and auditing of the kernel is foundational to overall system security – the kernel can either be leveraged by attackers to deeply compromise machines or hardened by defenders to rapidly detect threats. Thus hardening kernel auditing is hugely impactful.
What are the best practices for Audit Kernel Object?
Enable Audit policy settings that support the organizational security policy for all the computers in your organization. Identify the components that you need for an audit policy that enables your organization to hold users accountable for their actions while using organizational resources and enables IT departments to detect unauthorized activity efficiently and then track those events in log files.
