Security Auditing for Linux

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

Already here?

[PoiBoy]

How would this be any different from simply looking at /var/log/messages and /var/log/secure every morning? Everyone should be doing that anyway.

Of course, having a front-end to cut out all the useless messages is nice, but I would imagine most sysadmins have already written (or could write) a simple script in Perl custom tailored to their liking to do the same thing.

Re:I don't get it

It's better to have a real program running the analysis instead of an obscure collection of low level tools like tail.

Been done

[dpaton.net]

Isn't this just a glorified facelift for the various /var/log parts? Seriously. I less /var/log/secure every day or two for that exact reason. If you want it pretty pipe it to a perl script to HTMLify it and read it inside your favorite browser.

-dave

Re:Been done

[Birdie-PL]

No, it's not just a glorified facelift for the various /var/log parts.

With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

Yes!

[FraggleMI]

Great! I work on a mil project that deals with audit trails. Having a linux module to allow for auditing is exactly what we need and have been trying to get going. If it is anywere near as good as Solaris BSM auditing it will be a great thing, not just for yo, but for those that support Linux in a govt/military environment. This is a HUGE step forward since requirments require auditing records to be stored. Linux coming to an Afganistan site near you ;)

Knee Jerk Reaction

[weave]

Event logging on NT/2000 sucks.

• No central log host capability
• Tools to search it are crap
  
• Have to use a GUI interface to read it or dump it to a text file

OK, yes, there are third-party tools you can purchase extra to provide better functionality or you have to write some vbscript on your own to get the info. My point is, crap like this should be part of the OS. I'd rather have useful tools than a flock()ing media player, web browser, and instant messenger as part of the OS. :(

But to get back to the topic, yeah, having better auditing tools under Linux is needed. Just don't look up to Windows as the way to implement them! :)

what about process accounting?

[victwenty]

This does seem like a complete package, but I was wondering why a kernel module was needed as opposed to using the process accounting facilities already in the kernel. It is already possible to turn on logging for all processes (man accton), has anyone ever written any sort of log scraper for the binary accounting file? I would think for detecting specific locally run commands it would be adequate.