Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Auditing for Linux

Posted by michael on from the whodunnit dept.

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

11 of 112 comments (clear)

  1. Another Link by _DMan_ · · Score: 3, Insightful

    CNET

    Although this storuy claims "is the first intrusion detection system to reside on individual computers rather than a network"
    which is clearly wrong.

  2. 5 letter aussies by FrankBough · · Score: 5, Funny

    First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

    Apparently the first idea for a name was System Tracking, User Protection and Intrusion Detection but they thought that would be stupid.

  3. For those who dont know by nervlord1 · · Score: 3, Redundant

    Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance (i might be wrong on this, but thats what i remember, ill try and install it myself just to verify)

    --
    Microsoft IIS is to webserving as KFC is to healthy eating
    1. Re:For those who dont know by Anders · · Score: 3, Informative

      Loadable Kernel Module means you dont have to recompile your kernel, i know for some people (me!!) not having to recompile your kernel is a big importance

      Indeed, modules are very nice compared to a kernel patch. You not have to recompile and reboot your kernel and you do not have to keep applying the same patch when you do install a new kernel.

      That being said, you probably still have to compile the module itself and therefore still need the kernel source installed (unless someone provides a binary module for your particular kernel revision). And there are limits to what you can do in a module, which is of course the reason that most kernel additions out there are in the form of patch files.

      Basically, an addition might go into a module, but modifications to existing beaviour often need to touch the kernel itself.

  4. tail -f /var/log/messages by Nijika · · Score: 3, Insightful
    Ok folks, here's the deal; It's not the fancy little GUI widgets that sell Windows solutions, it's the full color two page ads in "CXO Magazine", or some other publication. It's the paid fud, it's the sales calls, it's the brand name the CxO sees when they head out to Wal-Mart. It's the last 20 years of business computing history, NOT THE GADGETS.

    The people that make the decisions to go Microsoft will almost never touch the systems they implement.

    Tough cookies, but that's the real deal. Don't believe me? Go to a magazine store and pick up some financial glossies...

    --
    Luck favors the prepared, darling.
    1. Re: tail -f /var/log/messages by foo+fighter · · Score: 3, Insightful

      I would like to kindly disagree.

      While they weren't huge cases (handful of servers, 250-500 machines/users) my organization has chosen Windows NT for our Network Operating System solution and desktop OS in the past precisely because of the 'widgets' which made security administration much easier than on linux.

      The Event Log utility makes tracking system, application, and security events a breeze. Having the ACL controls integrated into the system and file manager makes controlling access much more flexible (IMHO, not trying to start a flame) than linux's traditional methods.

      Finally, in the organizations I've worked in the Executives relied heavily on input from the engineers who would be running the systems. They realized that the sysadmins had a better idea of what was needed than they did, and acted on that information accordingly.

      --
      obviously no deficiencies vs. no obvious deficiencies
  5. Quote from Leigh in response..... by Vermifax · · Score: 5, Informative
    ...to being questioned about being first posted to ZDnet talkback
    Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.

    SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

    The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

    The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.
    --

    Vermifax

    Logout
  6. Re:Already here? by fanatic · · Score: 4, Informative

    This provides the ability to monitor individual system activities that your solution lacks. For example, you could monitor each time files were opened for reading or writing, etc. It appears that you can also specify which files using matches, including regular expressions. You can find out who ran what programs with what parameters (all the system commands like rm are programs).

    There was a previous thing like tis at hert.org, but it doesn't seem to be kept up anymore.

    This may be the first real reason I've seen to upgrade my particular installation to 2.4 kernel.

    The provision of GUI tools is nice. But my experience with Solaris BSM was that it proiduced so much output that you ended up using text tools (grep, awk, sed, perl) and running little programs that many minutes or several hours to run to get the meaningful information from out of the chaff.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  7. Re:Been done by Birdie-PL · · Score: 5, Interesting

    No, it's not just a glorified facelift for the various /var/log parts.

    With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

    I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

    --
    e-mail: karol at tls-technologies.com
    www: http://www.tls-technologies.com
    sig: not found
  8. Knee Jerk Reaction by weave · · Score: 4, Interesting
    Event logging on NT/2000 sucks.

    • No central log host capability
    • Tools to search it are crap
    • Have to use a GUI interface to read it or dump it to a text file

    OK, yes, there are third-party tools you can purchase extra to provide better functionality or you have to write some vbscript on your own to get the info. My point is, crap like this should be part of the OS. I'd rather have useful tools than a flock()ing media player, web browser, and instant messenger as part of the OS. :(

    But to get back to the topic, yeah, having better auditing tools under Linux is needed. Just don't look up to Windows as the way to implement them! :)

  9. Rude and offtopic... by swordgeek · · Score: 3, Funny

    ...but I find that whenever I go to type BSM (into a search engine, whatever), my fingers want to type BDSM.

    --

    "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban