Declaring and assigning audit profiles

Audit profiles determine which policies add records to the audit log (and in which cases).

The security module forwards audit log records via the KasperskyOS kernel to the klog entity, which decodes and processes them. For more details, please refer to the klog example provided in KasperskyOS Community Edition.

Declaring audit profiles

Audit profiles are declared by using an audit profile declaration:

audit profile <profile name> =

{ <runtime level>:

{ <object name>:

{ kss: [ "granted", "denied" ]

, <object configuration ...>

}

}

}

• One audit profile can contain multiple runtime levels (as a numerical value) that provide a varying level of detail for records in the log. Kaspersky Security System provides a way to programmatically switch the audit runtime level without rebuilding the security module (ksm.module).
• Within each runtime level, you can assign various configurations for different policy class objects.
• The kss field in an object configuration is an agreement about which messages will be recorded in the audit log depending on the decision made by the policy. This list can be empty (no messages will be added to the log) or it can be a combination of the literals "granted" and "denied".
• Each value of the object audit configuration must match its type in the class definition of this object.

Example audit profile declaration:

audit profile trace =

{ 0:

{ base:

{ kss: ["deny"]

}

}

, 1:

{ session:

{ kss: ["granted", "denied"]

, omit: ["closed"]

}

}

}

Assigning audit profiles

• When policies are bound to events, an audit profile is assigned to each policy call.
• If a profile is not indicated in the binding section, the profile from the parent match section is used (if available).
• If there is no match section or if a profile is not defined for the top-level match section, the global profile is used.

For example:

audit default = global 0 // Assign the default audit profile.

/* Configuration of requests from the "Client" entity to the "Server" entity. */

request src=Client, dst=Server {

audit parent // The parent audit profile is assigned to calls of policies in this section.

/* Configuration of requests from the "Client" entity to specific methods of the "Server" entity. */

match endpoint=pingComp.pingImpl, method=Ping {

audit child

grant () // The child audit profile is assigned to this call.

}

match endpoint=pingComp.pingImpl, method=Pong {

grant () // No audit profile is assigned to this call, so the parent profile will be used.

}

}

response src=Client, dst=Server {

grant () // No audit profile is assigned to this call, so the global profile will be used.

}

Page top