Security Auditing for Linux

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

Quote from Leigh in response.....

[Vermifax]

...to being questioned about being first posted to ZDnet talkback

Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.

SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.

Re:For those who dont know

[Anders]

Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance

Indeed, modules are very nice compared to a kernel patch. You not have to recompile and reboot your kernel and you do not have to keep applying the same patch when you do install a new kernel.

That being said, you probably still have to compile the module itself and therefore still need the kernel source installed (unless someone provides a binary module for your particular kernel revision). And there are limits to what you can do in a module, which is of course the reason that most kernel additions out there are in the form of patch files.

Basically, an addition might go into a module, but modifications to existing beaviour often need to touch the kernel itself.

Re: tail -f /var/log/messages

[Zocalo]

And for those that want a GUI, check out Xlogmaster. It comes in a variety of themes (OK, colours) and can pretty much capture everything you can cat, grep and cut out of your standard *NIX commands and logfiles. And a good deal more besides.

Still, choice is good.

Re:Already here?

[fanatic]

This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).

There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.

This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.

The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.

This is nothing new, and NOT "first ever"

If you look at the proceedings of the 1999 O'Reilly Open Source Convention, somebody presented a paper on a loadable kernel module for Linux (called "Laudit"), that enabled auditing/event monitoring in the kernel. This one is essentially the same idea (except Laudit had a command line/ /proc API).

Regards