Security Auditing for Linux

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

Maybe it's just me

[Saib0t]

but I wouldn't trust a snare... we keep reproaching MS to entangle us. I don't want this to happen to linux. no snare for me :-)

Another Link

[_DMan_]

CNET

Although this storuy claims "is the first intrusion detection system to reside on individual computers rather than a network"
which is clearly wrong.

5 letter aussies

[FrankBough]

First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

Apparently the first idea for a name was System Tracking, User Protection and Intrusion Detection but they thought that would be stupid.

For those who dont know

[nervlord1]

Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance (i might be wrong on this, but thats what i remember, ill try and install it myself just to verify)

Re:For those who dont know

[Anders]

Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance

Indeed, modules are very nice compared to a kernel patch. You not have to recompile and reboot your kernel and you do not have to keep applying the same patch when you do install a new kernel.

That being said, you probably still have to compile the module itself and therefore still need the kernel source installed (unless someone provides a binary module for your particular kernel revision). And there are limits to what you can do in a module, which is of course the reason that most kernel additions out there are in the form of patch files.

Basically, an addition might go into a module, but modifications to existing beaviour often need to touch the kernel itself.

tail -f /var/log/messages

[Nijika]

Ok folks, here's the deal; It's not the fancy little GUI widgets that sell Windows solutions, it's the full color two page ads in "CXO Magazine", or some other publication. It's the paid fud, it's the sales calls, it's the brand name the CxO sees when they head out to Wal-Mart. It's the last 20 years of business computing history, NOT THE GADGETS.

The people that make the decisions to go Microsoft will almost never touch the systems they implement.

Tough cookies, but that's the real deal. Don't believe me? Go to a magazine store and pick up some financial glossies...

Re: tail -f /var/log/messages

[foo+fighter]

I would like to kindly disagree.

While they weren't huge cases (handful of servers, 250-500 machines/users) my organization has chosen Windows NT for our Network Operating System solution and desktop OS in the past precisely because of the 'widgets' which made security administration much easier than on linux.

The Event Log utility makes tracking system, application, and security events a breeze. Having the ACL controls integrated into the system and file manager makes controlling access much more flexible (IMHO, not trying to start a flame) than linux's traditional methods.

Finally, in the organizations I've worked in the Executives relied heavily on input from the engineers who would be running the systems. They realized that the sysadmins had a better idea of what was needed than they did, and acted on that information accordingly.

Re: tail -f /var/log/messages

[Zocalo]

And for those that want a GUI, check out Xlogmaster. It comes in a variety of themes (OK, colours) and can pretty much capture everything you can cat, grep and cut out of your standard *NIX commands and logfiles. And a good deal more besides.

Still, choice is good.

Quote from Leigh in response.....

[Vermifax]

...to being questioned about being first posted to ZDnet talkback

Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.

SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.

Windows has had this since NT 3.5

Why is it "cool" when Linux gets something that Windows has had, but when Windows gets something that Linux has had its, "Linux is so far ahead of Windows, blah, blah."

Re:Windows has had this since NT 3.5

[autocracy]

Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls. If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE and they still haven't caught on. At the least they can let in some GPL code to enhance their own system, at the most get one programmer to read it, and the other to go just based on the general idea given to him so that the code is fresh.

Re:Windows has had this since NT 3.5

[Nailer]

Because with Linux, it's usually free and done by the labor of people who figure stuff out on their own, whereas and M$ has proprietary access and money to buy protocls.

That's increasingly becoming less the case, at least with larger Open Source projects, many of which ar commercialy motivated and backed.

If Microsoft gets something years after Linux, it's rather pathetic because the ideas behind it are like RIGHT THERE IN CODE

And using it would be VIOLATE THE LICENSE of the code which MS staff are forbidden by their employer to do.

and they still haven't caught on.

Re:Windows has had this since NT 3.5

[Nailer]

My basis for saying that looking at GPL source is forbidden within Microsoft is people who have worked for Microsoft and told me that `looking at GPL source is forbidden within Microsoft'.

Why bother stealing GPL code when one can legally and ethically use BSD code instead? MS have done this for ages and it works well. I see no significant areas where GPLed software has a major advantage over existing proprietary or BSD licensed software.

Re:Windows has had this since NT 3.5

[autocracy]

BSD/GPL/anything where the code is available. Point is that the code is available to them, and to not make use of something (as opposed to not wanting to use it at one time and put it in at a nother) like this and instead spend $$$ on redeveloping something and releasing it 2 years later is dumb. That is why we whine @ M$ when they come out with something Linux has.

Short Time to Market

[1alpha7]

The short time to market can also be attributed to three other factors, according to Cora: "We have the programming skills, we have a small company that is not bureaucratic, and we put aside the established OSes (operating systems) and started from scratch."

After my own heart. Bureaucracies are not an "asset", and trying to salvage (reuse) existing stuff, that happens to be crap, is not "efficient".

1Alpha7

Already here?

[PoiBoy]

How would this be any different from simply looking at /var/log/messages and /var/log/secure every morning? Everyone should be doing that anyway.

Of course, having a front-end to cut out all the useless messages is nice, but I would imagine most sysadmins have already written (or could write) a simple script in Perl custom tailored to their liking to do the same thing.

Re:Already here?

[fanatic]

This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).

There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.

This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.

The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.

Re:Acronyms

[micromoog]

Maybe the same deviation as the Americans with their 3 letter acronyms...

FU,B.

Been done

[dpaton.net]

Isn't this just a glorified facelift for the various /var/log parts? Seriously. I less /var/log/secure every day or two for that exact reason. If you want it pretty pipe it to a perl script to HTMLify it and read it inside your favorite browser.

-dave

Re:Been done

[Birdie-PL]

No, it's not just a glorified facelift for the various /var/log parts.

With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

Yes!

[FraggleMI]

Great! I work on a mil project that deals with audit trails. Having a linux module to allow for auditing is exactly what we need and have been trying to get going. If it is anywere near as good as Solaris BSM auditing it will be a great thing, not just for yo, but for those that support Linux in a govt/military environment. This is a HUGE step forward since requirments require auditing records to be stored. Linux coming to an Afganistan site near you ;)

Knee Jerk Reaction

[weave]

Event logging on NT/2000 sucks.

• No central log host capability
• Tools to search it are crap
  
• Have to use a GUI interface to read it or dump it to a text file

OK, yes, there are third-party tools you can purchase extra to provide better functionality or you have to write some vbscript on your own to get the info. My point is, crap like this should be part of the OS. I'd rather have useful tools than a flock()ing media player, web browser, and instant messenger as part of the OS. :(

But to get back to the topic, yeah, having better auditing tools under Linux is needed. Just don't look up to Windows as the way to implement them! :)

Whoa, slow down...

[Shoten]

I think it's fantastic that Linux is getting better and better features, options, software, and support for security-critical large environments. However, isn't it a bit premature to say, the instant that ONE application comes out that provides auditing, to say, "Ok, cool! Linux is now on par with all those other OSes that have had stuff like this developed for them for years...let's all adopt Linux now!" I wouldn't bet that there will be major changes just yet...security people who are on the cutting edge are not usually first adopters unless necessary, and it's not necessary to choose first-generation auditing in Linux over more proven equivalents for Solaris, for example. It's good to see Linux getting there, though :)

what about process accounting?

[victwenty]

This does seem like a complete package, but I was wondering why a kernel module was needed as opposed to using the process accounting facilities already in the kernel. It is already possible to turn on logging for all processes (man accton), has anyone ever written any sort of log scraper for the binary accounting file? I would think for detecting specific locally run commands it would be adequate.

This is nothing new, and NOT "first ever"

If you look at the proceedings of the 1999 O'Reilly Open Source Convention, somebody presented a paper on a loadable kernel module for Linux (called "Laudit"), that enabled auditing/event monitoring in the kernel. This one is essentially the same idea (except Laudit had a command line/ /proc API).

Regards

Rude and offtopic...

[swordgeek]

...but I find that whenever I go to type BSM (into a search engine, whatever), my fingers want to type BDSM.