Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Security Auditing for Linux 112

Posted by michael from the whodunnit dept.
malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."
This discussion has been archived. No new comments can be posted.

Security Auditing for Linux More

Security Auditing for Linux

Comments Filter:
  • but I wouldn't trust a snare... we keep reproaching MS to entangle us. I don't want this to happen to linux. no snare for me :-)

  • Another Link (Score:3, Insightful)

    by _DMan_ ( 105238 ) on Thursday November 08, 2001 @10:24AM (#2537564)
    CNET [cnet.com]

    Although this storuy claims "is the first intrusion detection system to reside on individual computers rather than a network"
    which is clearly wrong.

    • Quote from Leigh in response..... (Score:5, Informative)

      by Vermifax ( 3687 ) on Thursday November 08, 2001 @10:35AM (#2537611)
      ...to being questioned about being first posted to ZDnet talkback [zdnet.com.au]
      Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.


      SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

      The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

      The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.

  • 5 letter aussies (Score:5, Funny)

    by FrankBough ( 173822 ) on Thursday November 08, 2001 @10:30AM (#2537585) Homepage
    First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

    Apparently the first idea for a name was System Tracking, User Protection and Intrusion Detection but they thought that would be stupid.
    • Don't forget that other famous Aussie software: Slash.

      slash

      1. v.i., (Aust slang), To urinate. "I hafta take a slash. Gis another beer will ya, Kev."
      2. n, adj, A type of homosexual StarTrek fan fiction.
    • Well, it can't be such a bad thing really . e.g. Kevin Smith as Ares has fairly decent acting.

  • For those who dont know (Score:3, Redundant)

    by nervlord1 ( 529523 ) on Thursday November 08, 2001 @10:31AM (#2537591) Homepage
    Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance (i might be wrong on this, but thats what i remember, ill try and install it myself just to verify)

    • Re:For those who dont know (Score:3, Informative)

      by Anders ( 395 )

      Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance

      Indeed, modules are very nice compared to a kernel patch. You not have to recompile and reboot your kernel and you do not have to keep applying the same patch when you do install a new kernel.

      That being said, you probably still have to compile the module itself and therefore still need the kernel source installed (unless someone provides a binary module for your particular kernel revision). And there are limits to what you can do in a module, which is of course the reason that most kernel additions out there are in the form of patch files.

      Basically, an addition might go into a module, but modifications to existing beaviour often need to touch the kernel itself.

  • tail -f /var/log/messages (Score:3, Insightful)

    by Nijika ( 525558 ) on Thursday November 08, 2001 @10:33AM (#2537600) Homepage Journal
    Ok folks, here's the deal; It's not the fancy little GUI widgets that sell Windows solutions, it's the full color two page ads in "CXO Magazine", or some other publication. It's the paid fud, it's the sales calls, it's the brand name the CxO sees when they head out to Wal-Mart. It's the last 20 years of business computing history, NOT THE GADGETS.

    The people that make the decisions to go Microsoft will almost never touch the systems they implement.

    Tough cookies, but that's the real deal. Don't believe me? Go to a magazine store and pick up some financial glossies...

    • I really don't know very many CEO's that shop at Wal-Mart ;->
    • I would like to kindly disagree.

      While they weren't huge cases (handful of servers, 250-500 machines/users) my organization has chosen Windows NT for our Network Operating System solution and desktop OS in the past precisely because of the 'widgets' which made security administration much easier than on linux.

      The Event Log utility makes tracking system, application, and security events a breeze. Having the ACL controls integrated into the system and file manager makes controlling access much more flexible (IMHO, not trying to start a flame) than linux's traditional methods.

      Finally, in the organizations I've worked in the Executives relied heavily on input from the engineers who would be running the systems. They realized that the sysadmins had a better idea of what was needed than they did, and acted on that information accordingly.
    • And for those that want a GUI, check out Xlogmaster [gnu.org]. It comes in a variety of themes (OK, colours) and can pretty much capture everything you can cat, grep and cut out of your standard *NIX commands and logfiles. And a good deal more besides.

      Still, choice is good.

  • Australia nothing (Score:1, Offtopic)

    by wilton ( 20843 )
    From Jeremy Allison interview: [slashdot.org]
    Remember, for all you gits who for some reason think I'm an Australian (pah!) I'm a Brit - and my home town is Sheffield (in the Independent Socialist Republic of South Yorkshire). That's right - "THE FULL MONTY"! I've never even *been* to Australia, and have *never* eaten koala or emu

  • Windows has had this since NT 3.5 (Score:2, Redundant)

    by Anonymous Coward
    Why is it "cool" when Linux gets something that Windows has had, but when Windows gets something that Linux has had its, "Linux is so far ahead of Windows, blah, blah."
    • It's not about catching up with Windows, it's just another tool. As a matter of fact, NT 3.5 needed this badly, because NT administrators-to-be would not be able to learn how to filter a plain text log file and look out for their systems on their own. SNARE, for some linux administrators, adds convenience, for others, it adds nothing. It is, nevertheless, a promissing tool.
      Why are you complainig?
      • NT 3.5 was also incredibly easy to hack...not that I would know. Hey, is that someone knocking at my door?

        "What the hell? Who are you blokes? FBI? Terrorist? What terrorist? You mean *me*!? Really, honest, I'm not a terrorist! Hey, isn't there a statute of limitations on these things???"

        "Wait, no, leggo, I'm not a teeerrrrrorrrist -"

        NO CARRIER
    • Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls. If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE and they still haven't caught on. At the least they can let in some GPL code to enhance their own system, at the most get one programmer to read it, and the other to go just based on the general idea given to him so that the code is fresh.
      • Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls.

        That's increasingly becoming less the case, at least with larger Open Source projects, many of which ar commercialy motivated and backed.

        If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE

        And using it would be VIOLATE THE LICENSE of the code which MS staff are forbidden by their employer to do.

        and they still haven't caught on.
        • And using it would be VIOLATE THE LICENSE of the code which MS staff are forbidden by their employer to do. when was something illegal/unethical a point in stopping M$ from doing anything? also, the possibility of legal reverse engineering exists, and M$ has more than enough employees to do it effectively. basic process is something like this (iirc): 1 employee looks at code, analyzes how it works, and writes the how it works part down. another employee who has never looked at the code looks at the how it works doc, and writes their own. amazing, i tell ya. M$ has prolly never even bothered to assign 2 people to one piece of code.
          • My basis for saying that looking at GPL source is forbidden within Microsoft is people who have worked for Microsoft and told me that `looking at GPL source is forbidden within Microsoft'.

            Why bother stealing GPL code when one can legally and ethically use BSD code instead? MS have done this for ages and it works well. I see no significant areas where GPLed software has a major advantage over existing proprietary or BSD licensed software.
            • BSD/GPL/anything where the code is available. Point is that the code is available to them, and to not make use of something (as opposed to not wanting to use it at one time and put it in at a nother) like this and instead spend $$$ on redeveloping something and releasing it 2 years later is dumb. That is why we whine @ M$ when they come out with something Linux has.

    • Why it's "cool" when... (Score:1, Insightful)

      by Anonymous Coward
      It's "cool" because Microsoft is not.

      Take for instance, this: The megacorp I used to work at was coerced into migrating from Navigator to IE, otherwise, we 'sure wouldn't like the new cost of the Office license when it comes up for negotiation'.

      It's not good for the economy, world, computing industry to have companies running around using threats to stifle the potential of other companies, especially if the company that loses out has a superior product.

      Let's say you developed some software and tried to make a living by selling it. How would you feel if a company came in with an inferior product and told your biggest client they had better stop using yours or they'd face higher prices on unrelated software that they were already invested and dependant upon? Legal or not, all-is-fair-in-love-and-war or not, I call that a "low blow". I call that "immoral". I call that not being the best but still winning first prize.

      It's "cool" anytime you can get similar functionality from something which is community-supported, rather than monopoly-coerced.

      It's "cool" when Linux is ahead of Windows because it (usually) shows how people with (usually) selfless intentions, people with passion for the art of computing, are able to lead the way; to demonstrate their vision and skill while doing something that is for the common good. Not (usually) for Money, but for Kindness and other generally soft and fluffy concepts.

      In my book, "selfless" = Good.

      In my book, "greedy" = Evil.

      So, to me, this is about Good versus Evil. The events that I have been exposed to don't, imho, point to any other conclusion.

      And Good is "cool".

  • Short Time to Market (Score:2, Insightful)

    by 1alpha7 ( 192745 )

    The short time to market can also be attributed to three other factors, according to Cora: "We have the programming skills, we have a small company that is not bureaucratic, and we put aside the established OSes (operating systems) and started from scratch."

    After my own heart. Bureaucracies are not an "asset", and trying to salvage (reuse) existing stuff, that happens to be crap, is not "efficient".

    1Alpha7

  • Already here? (Score:2, Interesting)

    by PoiBoy ( 525770 )
    How would this be any different from simply looking at /var/log/messages and /var/log/secure every morning? Everyone should be doing that anyway.

    Of course, having a front-end to cut out all the useless messages is nice, but I would imagine most sysadmins have already written (or could write) a simple script in Perl custom tailored to their liking to do the same thing.

    • Re:Already here? (Score:4, Informative)

      by fanatic ( 86657 ) on Thursday November 08, 2001 @12:24PM (#2538140)
      This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).

      There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.

      This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.

      The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.

  • Been done (Score:2, Interesting)

    by dpaton.net ( 199423 )
    Isn't this just a glorified facelift for the various /var/log parts? Seriously. I less /var/log/secure every day or two for that exact reason. If you want it pretty pipe it to a perl script to HTMLify it and read it inside your favorite browser.

    -dave

    • Re:Been done (Score:5, Interesting)

      by Birdie-PL ( 255639 ) on Thursday November 08, 2001 @12:36PM (#2538205) Homepage
      No, it's not just a glorified facelift for the various /var/log parts.

      With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

      I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

  • Yes! (Score:2, Interesting)

    by FraggleMI ( 117868 )
    Great! I work on a mil project that deals with audit trails. Having a linux module to allow for auditing is exactly what we need and have been trying to get going. If it is anywere near as good as Solaris BSM auditing it will be a great thing, not just for yo, but for those that support Linux in a govt/military environment. This is a HUGE step forward since requirments require auditing records to be stored. Linux coming to an Afganistan site near you ;)
    • Yep, it is a necessity for gov/mil environs, which is why I posted the original request for information.

      And due to the work of the folks at Intersect Alliance (and others in the OSS community), I have overcome almost all resistance to using Linux in my agency (the NT admins mostly).

      So hopefully I'll be able to load up Mandrake on my work system soon..

  • I'm sorry, but having attempted to get ANY useful timely information out of the crap that is Event Viewer, I will stick with /var/log/*.

    Event Viewer is the most useless piece of junk in the Windows world. It's not set up to be truly queried, or use complex filtering, or tag important information based on what the admin wants to see.

    It can tell you who logged in to what machine and how many pages they printed to what printer. Yee Haw.

    Hopefully these people have more sense than to try to mindlessly copy the Windows paradigm. There is so much going on with system security that real time, query-enhanced auditing with a good set of heuristics combined with a pointy-haired gui, reporting tools, etc., could be very useful.

    How they figure logging is keeping Linux out of businesses is beyond me, since a program like Exchange will crash the server if you want to look at the logs.

  • we now have SNARE, what is next, SNEPILADY?

    Or how about SMEEE? Serving Microsoft's Embrace Extend Extinguish?

    ....or, SMITE, Server Migration Information Technology Epicenter? Call up the vendor of a product and say "I'd like you to SMITE me".

    And Captain Vulture said to his troops "Carrion".

    GISboy

  • Knee Jerk Reaction (Score:4, Interesting)

    by weave ( 48069 ) on Thursday November 08, 2001 @12:59PM (#2538285) Journal
    Event logging on NT/2000 sucks.

    • No central log host capability
    • Tools to search it are crap
    • Have to use a GUI interface to read it or dump it to a text file

    OK, yes, there are third-party tools you can purchase extra to provide better functionality or you have to write some vbscript on your own to get the info. My point is, crap like this should be part of the OS. I'd rather have useful tools than a flock()ing media player, web browser, and instant messenger as part of the OS. :(

    But to get back to the topic, yeah, having better auditing tools under Linux is needed. Just don't look up to Windows as the way to implement them! :)

  • I didn't find any info on this on Intersect, but what happens if someone roots the machine and unloads the module? No more logging then. And an excellent opportunity to erase all the existing logs.

    I assume that the logs are kept somewhere safe (another host maybe, or just printed as some prefer), so it is not a *huge* issue, but still ability to turn off the logging (and leave some trojans / backdoors without further traces) is somewhat scary.

    Yes, I know that after being rooted you shall reinstall.

  • I think it's fantastic that Linux is getting better and better features, options, software, and support for security-critical large environments. However, isn't it a bit premature to say, the instant that ONE application comes out that provides auditing, to say, "Ok, cool! Linux is now on par with all those other OSes that have had stuff like this developed for them for years...let's all adopt Linux now!" I wouldn't bet that there will be major changes just yet...security people who are on the cutting edge are not usually first adopters unless necessary, and it's not necessary to choose first-generation auditing in Linux over more proven equivalents for Solaris, for example. It's good to see Linux getting there, though :)

  • This does seem like a complete package, but I was wondering why a kernel module was needed as opposed to using the process accounting facilities already in the kernel. It is already possible to turn on logging for all processes (man accton), has anyone ever written any sort of log scraper for the binary accounting file? I would think for detecting specific locally run commands it would be adequate.
  • ..a webserver that can handle more than 100 hits a day.

    Anyone got a mirror anywhere?
  • "migrate away from the costly commercial alternatives to Linux. "

    You guys still haven't got it, have you? The OS license cost is not an issue. What do you think a server os for a few thousand or so is for a enterprise setup when you spend $50000 on oracle and about as much on experts setting it up?

    I simple don't understand why there so much nagging about license costs when those are just not an issue.
    • Well hell, if you've got a great big business with tons of cash I guess a few thousand doesn't matter much. But to all the small and medium sized businesses out there a few thousand is a bit more than a drop in the ol' bucket, eh?

      Max

  • This is nothing new, and NOT "first ever" (Score:2, Informative)

    by Anonymous Coward
    If you look at the proceedings of the 1999 O'Reilly Open Source Convention, somebody presented a paper on a loadable kernel module for Linux (called "Laudit"), that enabled auditing/event monitoring in the kernel. This one is essentially the same idea (except Laudit had a command line/ /proc API).

    Regards

  • Rude and offtopic... (Score:3, Funny)

    by swordgeek ( 112599 ) on Thursday November 08, 2001 @11:36PM (#2541656) Journal
    ...but I find that whenever I go to type BSM (into a search engine, whatever), my fingers want to type BDSM.
  • Hi all, the LinuxBSM project was started as an initiative of the University of California at Davis to build an auditor that meets the government's C2 compliance standards. I was the original author of the project and have received help from several people in the open source community, including Jeremy Banford (my roommate) who did nearly a complete rewrite of a good percentage of the code. Unfortunately, the project has fallen by the wayside as I have now graduated and work fulltime (and doing a little bit of work on OpenOffice - shameless plug) However, every two years or so the topic pops up on /. again.

    So I was wondering if there are a couple of people out there that might be interested in helping with the project. If so I'd certain begin developing again.

    drop me an email : )
    holmlundNO@SPAMinnercite.com
  • Check out this product [hp.com] from hp.

    Amongst its other features, it also provides an auditing subsystem, so you can audit pretty anything going on in the system. You can then use a filter to produce either plain text or xml reports.

    It has lots of other nifty features too - compartments, with kernel-level access control that goes beyond chmod.It makes it easy to run Internet services in a chrooted environment, with tightly controlled access limiting damage if one app were to be compromised.

    (Yes I do work for HP, but not for the ISSL division. The thoughts above are my own, not HP'S)

    - Lindsay

Slashdot Top Deals

E = MC ** 2 +- 3db

Close