Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Auditing for Linux

Posted by michael on from the whodunnit dept.

malibu_mex writes: "LinuxToday, ZDNet Australia, and NewsForge are all reporting on a loadable kernel module + GUI combination that implements an auditing subsystem on Linux (Like the NT event logger, or solaris BSM). This could be yet another reason for big business and government to migrate away from the costly commercial alternatives to Linux. First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names? This topic has been discussed on Slashdot previously here."

3 of 112 comments (clear)

  1. 5 letter aussies by FrankBough · · Score: 5, Funny

    First it was SAMBA, now it's SNARE. What have these Aussies got with 5 letter 'S' names?

    Apparently the first idea for a name was System Tracking, User Protection and Intrusion Detection but they thought that would be stupid.

  2. Quote from Leigh in response..... by Vermifax · · Score: 5, Informative
    ...to being questioned about being first posted to ZDnet talkback
    Anon is right in saying that there have been other logging tools for Linux, linuxbsm in particular has come a long way. Unfortunately though, some of these tools are either focussed on different logging capabilities (eg: swatch is a log file watcher, it alerts users when a particular line occurs in arbitrary log files, and can actually be used in conjunction with SNARE), or seem to be stalled in development.

    SNARE is more like the Windows NT event logger, or the Solaris BSM subsystem - but we hope that the experience we've had with these systems (and others: AIX, netware, Unicos, ACF2/RACF, etc.) will lead to an even better implementation for Linux.

    The team at InterSect made sure that we held off releasing SNARE until we were confident that it could stand on it's own feet against the auditing subsystems from other operating systems.

    The positive feedback that we're getting (thanks Sinner!) is certainly proving that people are interested, and we made the right decision.
    --

    Vermifax

    Logout
  3. Re:Been done by Birdie-PL · · Score: 5, Interesting

    No, it's not just a glorified facelift for the various /var/log parts.

    With SNARE you are able to monitor much, much more than what appears in /var/log. In example you can check who and when opened a particular file (like /etc/passwd) or run a particular process, and with what command-line options. Or which program bound to some port (great for detecting trojans 'calling home').

    I assume that you can also enhance it to monitor *all* system calls, if you are particulary interested or aware of some. Nothing comes to my mind right now, but for sure there some you wish to monitor, if not control.

    --
    e-mail: karol at tls-technologies.com
    www: http://www.tls-technologies.com
    sig: not found