Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auditing for Linux?

Posted by Cliff on from the capturing-the-data-trail dept.

steelwraith asks: "I'm a contractor working for a DoD agency, and there has been an on-going firefight over whether to allow Linux to be used withing the agency, with a possibility of this spilling over into DoD as a whole. Does anyone know of a project to create or port auditing into any of the Linux distributions? This is a major hurdle to the widespread adoption of Linux in the government; while it has a toe hold in places already, I fear it could be cut off before it has a chance to show its worth."

"A quick search of several sites (I'm under the gun, so I don't have a lot of time to do research) shows that there are no add-ons to Linux to allow C2 level auditing (a la BSM in Solaris). This is one of the primary arguments left for the side that want to deep-six Linux in the agency (on top of the requirement for a vendor integrity statement of some kind)."

7 of 118 comments (clear)

  1. Re:Not in the "know" by Anonymous Coward · · Score: 4
    You can find the full specs for C2, B1, and other security levels (the "orange book") online at http://www.radium. ncsc.mil/tpep/library/rainbow/5200.28-STD.html.

    For other interesting books in the rainbow series, see http://www.radium.ncsc.mil/tpep/li brary/rainbow/.

  2. Mandatory == User has no choice by DragonHawk · · Score: 4

    I'm not so sure you understand just what Mandatory Access Controls really are.

    Unix traditionally has Discretionary Access Controls. I, as jruser, can grant or deny permission to other users to view my files as I see fit. If I want to "chmod o+rwx ~/.rhosts", I can do that.

    Under Mandatory Access Control, however, if I don't have permission to give away a file, I can't do it, even if I want to. In other words, I may not have the right to do a "chmod o+rwx".

    AFAIK, none of the features you describe enforce MAC. True, if the user doesn't have access to the network, they won't get out, but once they are granted the network connection, you have no say in what they use it for.

    There is quite a bit of stuff regarding "security labels" in B1. Any storage object in the system (disk file, block of memory, etc.) gets assigned a label which describes its sensitivity and category in the organizational hierarchy. Mapping that into traditional Unix security mechanisms would be messy at best.

    Possibly more importantly, once you start getting into the B levels, you find as much emphasis being placed on assurance as features. In other words, it isn't enough to say that Linux provides such-and-such, you actually have to officially prove that it does, document that proof, and find someone to sign off on it.

    The Orange Book and Unix doesn't exactly line up one-to-one. :-)

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  3. Re:Auditing? by thelars · · Score: 4

    There have been a few questions posted so far, and not a whole lot of answers, so here's my humble attempt.

    (1) What is auditing?

    "Auditing", in this context, is the process of keeping detailed records of system activity. This can be as simple as recording when people log in and logout, or as involved as keeping a record of every single command line run by every user.

    (2) What is C2 level auditing?

    The DoD defines a number of classificating that have to do with the security of a computer system. Each level has specific requirements that must be met (and, in fact, even if a system meets those requirements it still needs to be officially certified).

    The C2 security level is (he said unauthoritatively) the minimum classification defined by the DoD (followed by B1, B2, B3, and A1). This defines a number of specific events (and information for each event) that must be audited.

    You can find a list of auditing requirements for all the above security levels by reading
    A Guide to Understand Audit in Trusted Systems, published by the National Computer Security Center.
    --

    --
    Lars Kellogg-Stedman <lars@larsshack.org>
  4. A couple of useful files: by Col.+Panic · · Score: 4
    Tripwire: [Description] Tripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.

    lsof: [Description] Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system.

    and

    CASL [Description] Custom Auditing Scripting Language (CASL) implements a packet shell environment for the Custom Auditing Scripting Language that is the basis for the Cybercop(tm) line of products by Network Associates. The CASL environment provides an extremely high performance environment for sending and receiving any normal and/or morbid packet stream to firewalls, networking stacks and network intrusion detection systems as well as being sufficiently rich of a language to write honeypots, virtual firewalls, surfer hotel, phantom networks and jails.

  5. Ultra Secure OS by bob|hm · · Score: 4

    Your answer is OpenBSD. I'm not sure of the certification level, but here's a quote from a recent interview with OpenBSD's project head, Theo Deraadt:

    "OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."

    The full article is here.

    --Bob

  6. SGI is working on this by fialar · · Score: 5

    I attended a Linux University workshop from SGI last Friday and at the Linux Security breakout session, the gentleman from SGI who does a lot of work with the NSA and the government said that SGI is working on making Linux C2 and B1 compliant. These should be finalized sometime next year. Auditing is one of the components that still needs to be worked on just to make Linux at least C2 compliant.

    For the B1 compliancy, there has to be further security checks (like mandatory security access on the FS)

    A lot of this good stuff will be coming from IRIX, which has been pretty secure in and of itself.
    We should be seeing a lot of security added to Linux this year.

    Fialar

  7. Security Auditing for Linux by Crispin+Cowan · · Score: 5
    There are two projects you may be interested in. The first is the Linux BSM project at U.C. Davis (home of an excellent security research lab by the way). The project's goal is to provide TCSEC-compliant auditing for Linux. They appear to have made reasonable progress. The last update to the web page was Feb. 15.

    The second project you may want to consider is that SGI is building an "orange book" Linux, with a goal of C2 by October, and B1 by next spring.

    Note that this question was posted to Slashdot last year so you probably want to go check out the responses there.

    Finally, while I'm here, I'll plug my own security-hardened Linux distro: Immunix. Immunix is not TCSEC compliant or anything like that. Rather, it is designed to be extremely difficult to break into, while preserving a high degree of Linux compatibility. Currently, it is just Red Hat hardened with StackGuard, but we will be releasing additional security technologies shortly.

    Crispin
    -------
    CTO, WireX Communications, Inc.
    Immunix: Free hardened Linux