Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auditing for Linux?

Posted by Cliff on from the capturing-the-data-trail dept.

steelwraith asks: "I'm a contractor working for a DoD agency, and there has been an on-going firefight over whether to allow Linux to be used withing the agency, with a possibility of this spilling over into DoD as a whole. Does anyone know of a project to create or port auditing into any of the Linux distributions? This is a major hurdle to the widespread adoption of Linux in the government; while it has a toe hold in places already, I fear it could be cut off before it has a chance to show its worth."

"A quick search of several sites (I'm under the gun, so I don't have a lot of time to do research) shows that there are no add-ons to Linux to allow C2 level auditing (a la BSM in Solaris). This is one of the primary arguments left for the side that want to deep-six Linux in the agency (on top of the requirement for a vendor integrity statement of some kind)."

14 of 118 comments (clear)

  1. Yes there are two by Anonymous Coward · · Score: 3
    There are two projects:
    RSBAC at www.rsbac.de
    ob1 at oss.sgi.com/projects/ob1

    The RSBAC works but is hard to configure. The ob1 has good docs but does not even run.

    I have work on the ALPHA and PPC port.

    Shaun Savage

  2. The Govt wants =MORE= security in Linux? by jd · · Score: 3
    Between the patches SGI already has out, the Trustees code and/or the POSIX ACL patches, auditing and logging code existing in the kernel, the auditing capabilities of the new IP stack and tools, projects such as OpenWall and Bastile Linux, the International Kernel Patches, FreeS/WAN and/or ENSkip and/or NIST IPSec, Kerberos 5, OpenSSH, MCrypt and MHash, OpenCA, the Linux Kernel capabilities attributes, the various OpenBSD servers being ported over, the various packages for scanning for incorrect attrbute settings, the various portscanners and vulnerability scanners, any additional security being added by either IBM's or SGI's journalling file systems, and the good omen of Tux himself, I'm amazed Linux isn't already mandatory in all Above Top Secret establishments in the US.

    Frankly, with the existing level of control you have in Linux, you should be able to easily walk away with a B1 for a careful installation.

    I don't know what the requirements are for a B1, but I'll guess that the four components I've listed form a part of it.

    • Mandatory security access on the FS: The International Kernel Patch, Trustees and the kernal capabilities should give you ample security control over the file system. I suspect strong encryption, fine-grained ACL's, and limits on what the kernel will permit, should meet this requirement.
    • Mandatory security access on the network: I don't know if this is a requirement, but iptools2 will allow you to shape traffic on a per-user basis. If the user isn't authorised, they've zero queue. If they are authorised for web acess only, simply allocate queue space for that traffic type only for that user. Problem solved.
    • Mandatory controls on remote network access: Simply use IPSec and strong host validation. This also covers any mandatory encryption on network traffic. Simply have ALL traffic routed through IPSec devices, thus making it impossible for non-authenticated, non-encrypted traffic to be transmitted or received.
    • Mandatory controls on remote users: OpenSSH and Kerberos give you some pretty strong user-level authentication. If you throw in tcp-wrappers or an enhanced inetd, you can place some fairly extensive controls on which users can use what services from what remote machines.

    I really can't see the military, for all it's paranoia, needing more extensive security than that. However, if it does, there's always Tripwire and assorted Intruder Detector packages. Not to mention firewalls, honey pots, buffer overflow detectors (or preventors), security auditing packages for ensuring that trivial holes are closed off, etc. Even the quota system offers some security capability.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. Try This by Skip666Kent · · Score: 3

    Check here and scroll down or search for "auditd".

    --
    **>>BELCH
  4. two projects by jnazario · · Score: 3

    hi,

    looks like i may be one of the first to offer a useful post.

    SGI is working on getting C2 grade Linux out there. they hope to have it working sometime this year. B2 will follow 18 months or so from that. Orange Linux is the project's name.

    the NSA and Secure Computing are working on a C2 grade Linux as well, with source of the stuff to be made publically available due to GPL licensing.

    some links:
    http://biz.yahoo.com/prnews/000113/ca_secure__1. html
    http://slashdot.org/articles/00/01/13/1029206.sh tml
    http://lwn.net/1999/1118/a/sgilinuxuniv.html

    /me

    --
    jose nazario jose@biocserver.cwru.edu
  5. Re:Auditing? by thelars · · Score: 3

    Whoops, that url was goofy. Try
    this one instead. Sorry.

    --

    --
    Lars Kellogg-Stedman <lars@larsshack.org>
  6. Title 17 Section 105. by istartedi · · Score: 3

    IANAL am and only familiar with this law within the context of the VRML test suite, the license of which I will now quote:

    This software was developed at the National Institute of Standards and Technology by employees of the Federal Governmentin the course of their official duties. Pursuant to title 17 Section 105 of the United States Code this software is not subject to copyright protection and is in the public domain. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. We would appreciate acknowledgement if the software is used.

    Any bugfixes, additions, modifications, kernel patches, etc. produced by the DoD are probably under this also. OTOH, they can justify classifying just about anything as SECRET. Because of their ability to classify, DoD is a poor test case for Linux in government.

    I think that the GPL is incompatable with section 105 for a number of reasons. Of course if they just add things to the stock kernel and redistribute the mods separately, there is no problem.

    The real problem comes from government employees doing maintenance work on Linux.

    Then what you have is the software business paying taxes so that the government can write free software and put them out of business.

    They should look at BSD. It is very close to public domain. If anybody tries to touch this section of the Federal law to make an exception for Linux, I will be marching down to see my congressman so quickly to let him know that it is wrong, Wrong, WRONG!!!

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  7. Re:Isn't the Orange Book dead? by xiitone · · Score: 3

    Yep, It's being replaced by the common criteria, a joint product of Europe, Canada and the US. It's just been recently standardized into an ISO. These sites should be public:
    Common Criteria Project at NIST
    Trusted Product Evaluation Program

    --
    Elegance is for tailors. -A. Einstein
  8. Re:Not in the "know" by Anonymous Coward · · Score: 4
    You can find the full specs for C2, B1, and other security levels (the "orange book") online at http://www.radium. ncsc.mil/tpep/library/rainbow/5200.28-STD.html.

    For other interesting books in the rainbow series, see http://www.radium.ncsc.mil/tpep/li brary/rainbow/.

  9. Mandatory == User has no choice by DragonHawk · · Score: 4

    I'm not so sure you understand just what Mandatory Access Controls really are.

    Unix traditionally has Discretionary Access Controls. I, as jruser, can grant or deny permission to other users to view my files as I see fit. If I want to "chmod o+rwx ~/.rhosts", I can do that.

    Under Mandatory Access Control, however, if I don't have permission to give away a file, I can't do it, even if I want to. In other words, I may not have the right to do a "chmod o+rwx".

    AFAIK, none of the features you describe enforce MAC. True, if the user doesn't have access to the network, they won't get out, but once they are granted the network connection, you have no say in what they use it for.

    There is quite a bit of stuff regarding "security labels" in B1. Any storage object in the system (disk file, block of memory, etc.) gets assigned a label which describes its sensitivity and category in the organizational hierarchy. Mapping that into traditional Unix security mechanisms would be messy at best.

    Possibly more importantly, once you start getting into the B levels, you find as much emphasis being placed on assurance as features. In other words, it isn't enough to say that Linux provides such-and-such, you actually have to officially prove that it does, document that proof, and find someone to sign off on it.

    The Orange Book and Unix doesn't exactly line up one-to-one. :-)

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  10. Re:Auditing? by thelars · · Score: 4

    There have been a few questions posted so far, and not a whole lot of answers, so here's my humble attempt.

    (1) What is auditing?

    "Auditing", in this context, is the process of keeping detailed records of system activity. This can be as simple as recording when people log in and logout, or as involved as keeping a record of every single command line run by every user.

    (2) What is C2 level auditing?

    The DoD defines a number of classificating that have to do with the security of a computer system. Each level has specific requirements that must be met (and, in fact, even if a system meets those requirements it still needs to be officially certified).

    The C2 security level is (he said unauthoritatively) the minimum classification defined by the DoD (followed by B1, B2, B3, and A1). This defines a number of specific events (and information for each event) that must be audited.

    You can find a list of auditing requirements for all the above security levels by reading
    A Guide to Understand Audit in Trusted Systems, published by the National Computer Security Center.
    --

    --
    Lars Kellogg-Stedman <lars@larsshack.org>
  11. A couple of useful files: by Col.+Panic · · Score: 4
    Tripwire: [Description] Tripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.

    lsof: [Description] Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.

    and

    CASL [Description] Custom Auditing Scripting Language (CASL) implements a packet shell environment for the Custom Auditing Scripting Language that is the basis for the Cybercop(tm) line of products by Network Associates. The CASL environment provides an extremely high performance environment for sending and receiving any normal and/or morbid packet stream to firewalls, networking stacks and network intrusion detection systems as well as being sufficiently rich of a language to write honeypots, virtual firewalls, surfer hotel, phantom networks and jails.

  12. Ultra Secure OS by bob|hm · · Score: 4

    Your answer is OpenBSD. I'm not sure of the certification level, but here's a quote from a recent interview with OpenBSD's project head, Theo Deraadt:

    "OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."

    The full article is here.

    --Bob

  13. SGI is working on this by fialar · · Score: 5

    I attended a Linux University workshop from SGI last Friday and at the Linux Security breakout session, the gentleman from SGI who does a lot of work with the NSA and the government said that SGI is working on making Linux C2 and B1 compliant. These should be finalized sometime next year. Auditing is one of the components that still needs to be worked on just to make Linux at least C2 compliant.

    For the B1 compliancy, there has to be further security checks (like mandatory security access on the FS)

    A lot of this good stuff will be coming from IRIX, which has been pretty secure in and of itself.
    We should be seeing a lot of security added to Linux this year.

    Fialar

  14. Security Auditing for Linux by Crispin+Cowan · · Score: 5
    There are two projects you may be interested in. The first is the Linux BSM project at U.C. Davis (home of an excellent security research lab by the way). The project's goal is to provide TCSEC-compliant auditing for Linux. They appear to have made reasonable progress. The last update to the web page was Feb. 15.

    The second project you may want to consider is that SGI is building an "orange book" Linux, with a goal of C2 by October, and B1 by next spring.

    Note that this question was posted to Slashdot last year so you probably want to go check out the responses there.

    Finally, while I'm here, I'll plug my own security-hardened Linux distro: Immunix. Immunix is not TCSEC compliant or anything like that. Rather, it is designed to be extremely difficult to break into, while preserving a high degree of Linux compatibility. Currently, it is just Red Hat hardened with StackGuard, but we will be releasing additional security technologies shortly.

    Crispin
    -------
    CTO, WireX Communications, Inc.
    Immunix: Free hardened Linux