Security Auditing for Linux

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

Quick security audit for Linux

[BrianW]

Q. Is it RedHat?

A. Yes.

Conclusion: It's insecure.

Re:Quick security audit for Linux

Here, fishy fishy!

women (can you say dating...it's expensive if you didn't know!)

No, but I can say "hired escorts". By the way, using "!=" instead of the words "does not equal" doesn't make you look intelligent. It makes you look like a l337 h4x0r, and we all know how achingly knowledgeable they are.

Re:Quick security audit for Linux

[SquierStrat]

It's called short-hand actually...of course i'm not intelligent so I don't know that! :-)

Hired escorts...try 18 year old girls...period expensive little things...take me here...take me there. Geez they'll empty your wallet faster than a an athlon xp or 2...

Re:Quick security audit for Linux

[SquierStrat]

Hey dip shit, MS doesn't write drivers, hardware manufacturers do. I said my DXR 3 keeps crashing my box..but you're to fucking stupid to actually read that apparently.

Re:Quick security audit for Linux

[SquierStrat]

win 95 = no problem except for with most of my games, which is the sole reason I run any version of windows.

I have good, well known hardware. Simple issue is crappy driver support, and poor exception handling. The dxr3 driver crashes when I try to use it, takes the whole machine with it in a big BSOD. I'm fully aware of how to keep a system stable. I'm not a moron like our little friend who thinks that linux users are all freeloaders.

Maybe it's just me

[Saib0t]

but I wouldn't trust a snare... we keep reproaching MS to entangle us. I don't want this to happen to linux. no snare for me :-)

Another Link

[_DMan_]

CNET

Although this storuy claims "is the first intrusion detection system to reside on individual computers rather than a network"
which is clearly wrong.

5 letter aussies

[FrankBough]

First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

Apparently the first idea for a name was System Tracking, User Protection and Intrusion Detection but they thought that would be stupid.

Re:5 letter aussies

[bowb]

Don't forget that other famous Aussie software: Slash.

slash

1. v.i., (Aust slang), To urinate. "I hafta take a slash. Gis another beer will ya, Kev."
2. n, adj, A type of homosexual StarTrek fan fiction.

Re:5 letter aussies

Don't forget that other famous Aussie software: Slash.

slash

1. v.i., (Aust slang), To urinate. "I hafta take a slash. Gis another beer will ya, Kev."
2. n, adj, A type of homosexual StarTrek fan fiction.

Man, that sure lends a new meaning to "Slashdot," doesn't it?

Re:5 letter aussies

[bowb]

Man, that sure lends a new meaning to "Slashdot," doesn't it?

Yes, yes it does. That was the joke. I should have posted a link to the Slash code:

The source code for the site is called "Slash". The Slashdot Like Automated Story-telling Homepage. We've set up a site, using Slash, devoted to the development and use of Slash.

It was a troll you see. Moderators, do your duty! It has been at Score:1 for two hours already. It's a pretty sad state of affairs when I have to tell the moderators to mod down my own troll. Stupid, retarded, $3 crack smoking moderators.

Re:5 letter aussies

[whovian]

Well, it can't be such a bad thing really . e.g. Kevin Smith as Ares has fairly decent acting.

Re:5 letter aussies

[FrankBough]

No, I'm the other one.

Re:5 letter aussies

What have these Aussies got with 5 letter 'S' names?

The Americans have taken all the 4-letter 'S' words.

For those who dont know

[nervlord1]

Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance (i might be wrong on this, but thats what i remember, ill try and install it myself just to verify)

Re:For those who dont know

[Anders]

Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance

Indeed, modules are very nice compared to a kernel patch. You not have to recompile and reboot your kernel and you do not have to keep applying the same patch when you do install a new kernel.

That being said, you probably still have to compile the module itself and therefore still need the kernel source installed (unless someone provides a binary module for your particular kernel revision). And there are limits to what you can do in a module, which is of course the reason that most kernel additions out there are in the form of patch files.

Basically, an addition might go into a module, but modifications to existing beaviour often need to touch the kernel itself.

tail -f /var/log/messages

[Nijika]

Ok folks, here's the deal; It's not the fancy little GUI widgets that sell Windows solutions, it's the full color two page ads in "CXO Magazine", or some other publication. It's the paid fud, it's the sales calls, it's the brand name the CxO sees when they head out to Wal-Mart. It's the last 20 years of business computing history, NOT THE GADGETS.

The people that make the decisions to go Microsoft will almost never touch the systems they implement.

Tough cookies, but that's the real deal. Don't believe me? Go to a magazine store and pick up some financial glossies...

Re: tail -f /var/log/messages

[DAldredge]

I really don't know very many CEO's that shop at Wal-Mart ;->

Re: tail -f /var/log/messages

I disagree. Some good sys admins and a knowledgeable director of IT would know the difference. And they are the ones who make the decisions on that. When the thousands of small companies finally get audited and get caught not having their 30 Win2k licenses, a switch may be in order instead of purchasing those licenses.

Re: tail -f /var/log/messages

[foo+fighter]

I would like to kindly disagree.

While they weren't huge cases (handful of servers, 250-500 machines/users) my organization has chosen Windows NT for our Network Operating System solution and desktop OS in the past precisely because of the 'widgets' which made security administration much easier than on linux.

The Event Log utility makes tracking system, application, and security events a breeze. Having the ACL controls integrated into the system and file manager makes controlling access much more flexible (IMHO, not trying to start a flame) than linux's traditional methods.

Finally, in the organizations I've worked in the Executives relied heavily on input from the engineers who would be running the systems. They realized that the sysadmins had a better idea of what was needed than they did, and acted on that information accordingly.

Re: tail -f /var/log/messages

[Zocalo]

And for those that want a GUI, check out Xlogmaster. It comes in a variety of themes (OK, colours) and can pretty much capture everything you can cat, grep and cut out of your standard *NIX commands and logfiles. And a good deal more besides.

Still, choice is good.

Re: tail -f /var/log/messages

You know, you're right.

The thousands of GUI log manipulation tools on Freshmeat (one of the only two main categories, the other is graphical front ends for MP3 players) prove how important log manipulation is to the Free Software community.

Quote from Leigh in response.....

[Vermifax]

...to being questioned about being first posted to ZDnet talkback

Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.

SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.

Re:Quote from Leigh in response.....

That does not change the fact that snare isn't the first host-based IDS for Linux - such extravagent claims always make me suspicious. I remember a tripwire clone also getting too much airtime on slashdot.

Back to the issues: linuxbsm.sourceforge.net had a working audit subsystem for the kernel for over a year, and so have a number of others: eyes on exec, LIDS, MedusaDS9, etc. And most of the projects are still going strong: The last announcement of swatch was on november 7th, IDSA on 29th of August.

The point is SNARE may be nice and useful. Good. Announce it on freshmeat.net like everybody else. Going to ZDNET and claiming that it is the first HIDS is a gross misrepresentation.

Acronyms

[Diabolical]

First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

Maybe the same deviation as the Americans with their 3 letter acronyms...

Re:Acronyms

[micromoog]

Maybe the same deviation as the Americans with their 3 letter acronyms...

FU,B.

Re:Acronyms

HEY! It's true :) Whats with the defensive moderators recently?

Re:Offtopic

But, wait, I thought that MySQL was the best database in existence.....?

Maybe VA should look at investing a bit of money in a copy of Oracle. It wouldn't stop responding every two hours like MySQL does.

Re:I don't know, mate

[aulendil]

Sheep?

Australia nothing

[wilton]

From Jeremy Allison interview:
Remember, for all you gits who for some reason think I'm an Australian (pah!) I'm a Brit - and my home town is Sheffield (in the Independent Socialist Republic of South Yorkshire). That's right - "THE FULL MONTY"! I've never even *been* to Australia, and have *never* eaten koala or emu

Re:Australia nothing

Socialist Republic of South Yorkshire

It figures.

No wonder that software from some socialist hellhole written by a piece of prime commie eurotrash is once again being used in an attempt to bring on the downfall of our already suffering IT corporations.

As a socialist, have you ever thought about how many people will lose their jobs because of free software?! You linux people make me sick!

Re:Australia nothing

From the About Samba Page

Samba is maintained by
the Samba Team, who support the original author, Andrew Tridgell.

Tridgell = Australian

Re:Australia nothing

[Scooter]

LOL this guys has no idea how insulting he's just been to died in the wool yerkshermen - calling them reds. haw haw - it's them other lot on t'other side of tut'mountain - yerksher would be er white :)

Get an atlas dude - Allison was 'avin you on man.

Windows has had this since NT 3.5

Why is it "cool" when Linux gets something that Windows has had, but when Windows gets something that Linux has had its, "Linux is so far ahead of Windows, blah, blah."

Re:Windows has had this since NT 3.5

[rfz]

It's not about catching up with Windows, it's just another tool. As a matter of fact, NT 3.5 needed this badly, because NT administrators-to-be would not be able to learn how to filter a plain text log file and look out for their systems on their own. SNARE, for some linux administrators, adds convenience, for others, it adds nothing. It is, nevertheless, a promissing tool.
Why are you complainig?

Re:Windows has had this since NT 3.5

[autocracy]

Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls. If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE and they still haven't caught on. At the least they can let in some GPL code to enhance their own system, at the most get one programmer to read it, and the other to go just based on the general idea given to him so that the code is fresh.

Re:Windows has had this since NT 3.5

didn't NT 3.5 have the same kind of logs that NT 4 does?

Re:Windows has had this since NT 3.5

[Nailer]

Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls.

That's increasingly becoming less the case, at least with larger Open Source projects, many of which ar commercialy motivated and backed.

If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE

And using it would be VIOLATE THE LICENSE of the code which MS staff are forbidden by their employer to do.

and they still haven't caught on.

Re:Windows has had this since NT 3.5

[dakoda]

And using it would be VIOLATE THE LICENSE of the code which MS staff are forbidden by their employer to do. when was something illegal/unethical a point in stopping M$ from doing anything? also, the possibility of legal reverse engineering exists, and M$ has more than enough employees to do it effectively. basic process is something like this (iirc): 1 employee looks at code, analyzes how it works, and writes the how it works part down. another employee who has never looked at the code looks at the how it works doc, and writes their own. amazing, i tell ya. M$ has prolly never even bothered to assign 2 people to one piece of code.

Re:Windows has had this since NT 3.5

[Nailer]

My basis for saying that looking at GPL source is forbidden within Microsoft is people who have worked for Microsoft and told me that `looking at GPL source is forbidden within Microsoft'.

Why bother stealing GPL code when one can legally and ethically use BSD code instead? MS have done this for ages and it works well. I see no significant areas where GPLed software has a major advantage over existing proprietary or BSD licensed software.

Re:Windows has had this since NT 3.5

[maxpublic]

NT 3.5 was also incredibly easy to hack...not that I would know. Hey, is that someone knocking at my door?

"What the hell? Who are you blokes? FBI? Terrorist? What terrorist? You mean *me*!? Really, honest, I'm not a terrorist! Hey, isn't there a statute of limitations on these things???"

"Wait, no, leggo, I'm not a teeerrrrrorrrist -"

NO CARRIER

Re:Windows has had this since NT 3.5

[autocracy]

BSD/GPL/anything where the code is available. Point is that the code is available to them, and to not make use of something (as opposed to not wanting to use it at one time and put it in at a nother) like this and instead spend $$$ on redeveloping something and releasing it 2 years later is dumb. That is why we whine @ M$ when they come out with something Linux has.

Short Time to Market

[1alpha7]

The short time to market can also be attributed to three other factors, according to Cora: "We have the programming skills, we have a small company that is not bureaucratic, and we put aside the established OSes (operating systems) and started from scratch."

After my own heart. Bureaucracies are not an "asset", and trying to salvage (reuse) existing stuff, that happens to be crap, is not "efficient".

1Alpha7

Re:Offtopic

VA Software(Soon to be renamed VA Burger Chefs) couldn't afford a blank CD to make an illicit copy of Oracle, let alone buy a copy of it.

Already here?

[PoiBoy]

How would this be any different from simply looking at /var/log/messages and /var/log/secure every morning? Everyone should be doing that anyway.

Of course, having a front-end to cut out all the useless messages is nice, but I would imagine most sysadmins have already written (or could write) a simple script in Perl custom tailored to their liking to do the same thing.

Re:Already here?

[fanatic]

This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).

There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.

This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.

The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.

Re:Already here?

Hi guys, first up, sorry for the slow web site. We're getting a heck of a lot more volume than we ever expected, or our link is cut out for. I'm trying to transfer the code to sourceforge to free up a few bytes of bandwidth.

A few quick responses to some pretty good questions:

> How would this be different from simply looking at /var/log/messages and /var/log/secure....
> (Why not use) the process accounting facilities already in the kernel?

Birdie-PL has already clarified this a little, but here's some more details. SNARE intercepts linux system calls like execve() and unlink() - and also applies extended regular expression filtering based on the user, and a 'match' which is event dependent (ie: the filename for open(), the target user for setuid32()). This means that you can do things like:
"Tell me whenever the user 'fred' accesses any file within /home/securestuff".
We thought of using process accounting rather than wrapping execve(), but unfortunately process accounting only reports on process exit, not on process start, and some processes aren't designed to die off in a normal session (eg: httpd).

> Story claims ... "the first".

Yeah, unfortunately, a reporter just doesn't have time to write down every word you say in an interview.. what starts off as "The first audit subsystem for linux that implements some core required functionality with documentation (etc).." gets shortened a little. A lot of people have done some great work on other auditing projects for Linux. (Thanks Vermifax for posting that ZDNet thing).

> .. it's the full color two page ads in "CXO Magazine", or some other publication.. [that sells windows].

True - and although I hesitate to use the words apache and snare in the same response, it's not the glossy advertisments that have put apache running a majority of the web sites worldwide. Gradual quality increases over the years have lead to a fantastic app, and one who's price/performance characteristics have made it very hard to ignore - even by very large organisations. We hope that SNARE might be another one of those tiny quality increases for Linux - at least in some peoples minds.

> Event Viewer is the most useless piece of junk in the Windows world.. ..Hopefully these people have more sense than to try to mindlessly copy the Windows paradigm
Well, sometimes it's not pretty. We wrote a little free app called backlog, which grabs audit logs from the event logs, and sends data over to a remote syslog. A quick grep is a heck of a lot more effective than a GUI sometimes.
As to whether it's better than Event Viewer, we'll let people decide that for themselves.

> what happens if someone roots the machine and unloads the module
Yup, auditing is out the window. We're looking at incorporating remote real-time transfer of log data to another server. At least then you'll get the execve() of rmmod auditmodule. However, there are a lot of other factors that, even if SNARE was built into the kernel, would still kill auditing if a root-level user wanted to: unmount the file system to which audit is being written, insert another module that looks for writes to /var/log/audit (for example), and kills those... loadable modules seemed to be a good risk-based compromise between usability and security.

> ..a webserver that can handle more than 100 hits a day.

Yeah, sorry people. I'm working on mirrors now.

Leigh.

I don't get it

What can this snare do that syslog can't?
On my systems I get a thorough analysis of the past hour of syslog events in my inbox, sorted by security risk. And getting a live view of syslog events is easy with tail -f.

If this generates extra events, then the code for the original pieces of code these events are generated for should be adapted to generate them. If this doesn't generate extra events then it's just another way of looking at exactly the same data, and shouldn't be hyped so much on slashdot.

I really don't get it.

Re:I don't get it

It's better to have a real program running the analysis instead of an obscure collection of low level tools like tail.

Re:I don't get it

Real programs are collections of low-level utilities. Sometimes even like tail.

PAAAAN - WRONG!

No really.
Just compile the MODULE.
make dep, modules, modules_install.
Sure, if it dont even came prepared to do
this for you, like yhe NVidia driver.

=oP

Better luck next time!

Snares

First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

Snares are used to catch the dingos. Duh.

Re:Snares

[mcroydon]

I prefer to think of snares in the context of drums. You know, the rat-a-tat-tat kind?

5-Letter names? Start with S? Hmmm...

[dmccarty]

What have these Aussies got with 5 letter 'S' names?

I knew it!--they're all Vulcans in disguise. Next we can expect a System Protection Oscillator for Chemical Kudos or something...

14-letter 'S' names

[sharkey]

What have these Aussies got with 5 letter 'S' names?

Hopefully Sweden will be providing us with 14-letter 'S' solutions. I could definitely get into some serious Snugglebunnies with their Bikini Team.

This story is old..

[cybrchrst]

It appeared on http://www.hackerjournal.com yesterday morning.

Been done

[dpaton.net]

Isn't this just a glorified facelift for the various /var/log parts? Seriously. I less /var/log/secure every day or two for that exact reason. If you want it pretty pipe it to a perl script to HTMLify it and read it inside your favorite browser.

-dave

Re:Been done

Every day or two?

Man, that really isn't often enough at all. In two days they could do a LOT of damage on your network, or from your machine.

Re:Been done

[Birdie-PL]

No, it's not just a glorified facelift for the various /var/log parts.

With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

SNARE is more than just the log files does it?

Umm, SNARE sounds like a bit more than tail -f of various log files. The Solaris BSM creates a full audit trail which can be used to track a user from the moment they enter the system including what they execute (and from which connection) etc. Assuming SNARE is anything like this it will be ace.

Yes!

[FraggleMI]

Great! I work on a mil project that deals with audit trails. Having a linux module to allow for auditing is exactly what we need and have been trying to get going. If it is anywere near as good as Solaris BSM auditing it will be a great thing, not just for yo, but for those that support Linux in a govt/military environment. This is a HUGE step forward since requirments require auditing records to be stored. Linux coming to an Afganistan site near you ;)

Re:Yes!

[steelwraith]

Yep, it is a necessity for gov/mil environs, which is why I posted the original request for information.

And due to the work of the folks at Intersect Alliance (and others in the OSS community), I have overcome almost all resistance to using Linux in my agency (the NT admins mostly).

So hopefully I'll be able to load up Mandrake on my work system soon..

Re:Yes!

[FraggleMI]

Wont that be nice, I cannot wait to be able to use linux at at my military agency!

Ugh yuck

[Mandi+Walls]

I'm sorry, but having attempted to get ANY useful timely information out of the crap that is Event Viewer, I will stick with /var/log/*.

Event Viewer is the most useless piece of junk in the Windows world. It's not set up to be truly queried, or use complex filtering, or tag important information based on what the admin wants to see.

It can tell you who logged in to what machine and how many pages they printed to what printer. Yee Haw.

Hopefully these people have more sense than to try to mindlessly copy the Windows paradigm. There is so much going on with system security that real time, query-enhanced auditing with a good set of heuristics combined with a pointy-haired gui, reporting tools, etc., could be very useful.

How they figure logging is keeping Linux out of businesses is beyond me, since a program like Exchange will crash the server if you want to look at the logs.

Re:Ugh yuck

I would put an insult that you are too stupid to figure out how to read the event log. However you have already demonstrated that fact, and probably wouldn't be able to understand the insult either.

No, I am not a Microsoft advocate.

(carbon) dating myself, but

[GISboy]

we now have SNARE, what is next, SNEPILADY?

Or how about SMEEE? Serving Microsoft's Embrace Extend Extinguish?

....or, SMITE, Server Migration Information Technology Epicenter? Call up the vendor of a product and say "I'd like you to SMITE me".

And Captain Vulture said to his troops "Carrion".

GISboy

Knee Jerk Reaction

[weave]

Event logging on NT/2000 sucks.

• No central log host capability
• Tools to search it are crap
  
• Have to use a GUI interface to read it or dump it to a text file

OK, yes, there are third-party tools you can purchase extra to provide better functionality or you have to write some vbscript on your own to get the info. My point is, crap like this should be part of the OS. I'd rather have useful tools than a flock()ing media player, web browser, and instant messenger as part of the OS. :(

But to get back to the topic, yeah, having better auditing tools under Linux is needed. Just don't look up to Windows as the way to implement them! :)

Re:Knee Jerk Reaction

[kireK]

NT loggin sucks? Really? Why aren't you forwarding you NT/2000 events to a syslog server? Then you can use the same tools as you would use on a UNIX machine.

Re:Knee Jerk Reaction

[jpostel]

Just curious, how does one do that? I can't find any documentation on it on TechNet.

Re:Knee Jerk Reaction

[kireK]

2Kis easy, look on the Resource CD . For NT I use
Kiwi's Syslog Daemon

Re:Knee Jerk Reaction

[jpostel]

danke

Re:WHAT ARE YOU GOING TO MASTICATE FOR SUPPER

I'm going to eat out your mom's ass.

Security concern

[Birdie-PL]

I didn't find any info on this on Intersect, but what happens if someone roots the machine and unloads the module? No more logging then. And an excellent opportunity to erase all the existing logs.

I assume that the logs are kept somewhere safe (another host maybe, or just printed as some prefer), so it is not a *huge* issue, but still ability to turn off the logging (and leave some trojans / backdoors without further traces) is somewhat scary.

Yes, I know that after being rooted you shall reinstall.

Re:Security concern

There should always be a "remote host logger" to make it more difficult for a hacker to cover its tracks. When a copy of the log is systematically sent to a remote host, one has to hack another machine to clear all logs. Unfortunately Snare has not implemented that feature yet. Airbete.

Whoa, slow down...

[Shoten]

I think it's fantastic that Linux is getting better and better features, options, software, and support for security-critical large environments. However, isn't it a bit premature to say, the instant that ONE application comes out that provides auditing, to say, "Ok, cool! Linux is now on par with all those other OSes that have had stuff like this developed for them for years...let's all adopt Linux now!" I wouldn't bet that there will be major changes just yet...security people who are on the cutting edge are not usually first adopters unless necessary, and it's not necessary to choose first-generation auditing in Linux over more proven equivalents for Solaris, for example. It's good to see Linux getting there, though :)

what about process accounting?

[victwenty]

This does seem like a complete package, but I was wondering why a kernel module was needed as opposed to using the process accounting facilities already in the kernel. It is already possible to turn on logging for all processes (man accton), has anyone ever written any sort of log scraper for the binary accounting file? I would think for detecting specific locally run commands it would be adequate.

Re:Offtopic

Well, they could shoplift one, then.

Coming soon from Intersect....

[Afrosheen]

..a webserver that can handle more than 100 hits a day.

Anyone got a mirror anywhere?

Why it's "cool" when...

It's "cool" because Microsoft is not.

Take for instance, this: The megacorp I used to work at was coerced into migrating from Navigator to IE, otherwise, we 'sure wouldn't like the new cost of the Office license when it comes up for negotiation'.

It's not good for the economy, world, computing industry to have companies running around using threats to stifle the potential of other companies, especially if the company that loses out has a superior product.

Let's say you developed some software and tried to make a living by selling it. How would you feel if a company came in with an inferior product and told your biggest client they had better stop using yours or they'd face higher prices on unrelated software that they were already invested and dependant upon? Legal or not, all-is-fair-in-love-and-war or not, I call that a "low blow". I call that "immoral". I call that not being the best but still winning first prize.

It's "cool" anytime you can get similar functionality from something which is community-supported, rather than monopoly-coerced.

It's "cool" when Linux is ahead of Windows because it (usually) shows how people with (usually) selfless intentions, people with passion for the art of computing, are able to lead the way; to demonstrate their vision and skill while doing something that is for the common good. Not (usually) for Money, but for Kindness and other generally soft and fluffy concepts.

In my book, "selfless" = Good.

In my book, "greedy" = Evil.

So, to me, this is about Good versus Evil. The events that I have been exposed to don't, imho, point to any other conclusion.

And Good is "cool".

Costly alternatives?

[kalleanka2]

"migrate away from the costly commercial alternatives to Linux. "

You guys still haven't got it, have you? The OS license cost is not an issue. What do you think a server os for a few thousand or so is for a enterprise setup when you spend $50000 on oracle and about as much on experts setting it up?

I simple don't understand why there so much nagging about license costs when those are just not an issue.

Re:Costly alternatives?

[maxpublic]

Well hell, if you've got a great big business with tons of cash I guess a few thousand doesn't matter much. But to all the small and medium sized businesses out there a few thousand is a bit more than a drop in the ol' bucket, eh?

Max

Your Idiocy

Hi, you are a self-serving twit. Thank you for your dopey comments.

This is nothing new, and NOT "first ever"

If you look at the proceedings of the 1999 O'Reilly Open Source Convention, somebody presented a paper on a loadable kernel module for Linux (called "Laudit"), that enabled auditing/event monitoring in the kernel. This one is essentially the same idea (except Laudit had a command line/ /proc API).

Regards

Re:This is nothing new, and NOT "first ever"

Having it as a kernel module is sensible, and not a big deal: you can always re-route the syscall vector(s).

-A

The programmers are illiterate idiots

It should be abbreviated as S.I.A.R.E.

Rude and offtopic...

[swordgeek]

...but I find that whenever I go to type BSM (into a search engine, whatever), my fingers want to type BDSM.

Mirror for SNARE downloads

http://the.wiretapped.net/security/host-security/s nare/

ftp://ftp.wiretapped.net/pub/security/host-securit y/snare/

Would anyone like to help with the LINUXBSM proj

[dagnathan]

Hi all, the LinuxBSM project was started as an initiative of the University of California at Davis to build an auditor that meets the government's C2 compliance standards. I was the original author of the project and have received help from several people in the open source community, including Jeremy Banford (my roommate) who did nearly a complete rewrite of a good percentage of the code. Unfortunately, the project has fallen by the wayside as I have now graduated and work fulltime (and doing a little bit of work on OpenOffice - shameless plug) However, every two years or so the topic pops up on /. again.

So I was wondering if there are a couple of people out there that might be interested in helping with the project. If so I'd certain begin developing again.

drop me an email : )
holmlundNO@SPAMinnercite.com

HP'S Secure Linux had an auditing subsystem

[LKH]

Check out this product from hp.

Amongst its other features, it also provides an auditing subsystem, so you can audit pretty anything going on in the system. You can then use a filter to produce either plain text or xml reports.

It has lots of other nifty features too - compartments, with kernel-level access control that goes beyond chmod.It makes it easy to run Internet services in a chrooted environment, with tightly controlled access limiting damage if one app were to be compromised.

(Yes I do work for HP, but not for the ISSL division. The thoughts above are my own, not HP'S)

- Lindsay