Re: c2 (or c2-like) auditing for Linux

From: Leigh Purdie (Leigh.Purdieat_private)
Date: Fri Jan 24 2003 - 21:16:19 PST

  • Next message: Russell Coker: "Re: c2 (or c2-like) auditing for Linux"

    G'day Nathan, (All: FYI / Comment)
    Snare ( is designed
    to be a C2-style audit capability for Linux, and works on RH7.2 (as well
    as 7.1, 7.3, and as of last night, 8.0, plus Suse / Mandrake, and Debian
    Woody+). Snare operates as a kernel module (at present), and so no
    kernel recompiles are required. There is also a user-space audit daemon,
    and a configuration/monitoring GUI available as an open-source/free
    Note however, that although we were attempting to meet the general
    principals of C2, we did not design it to be strictly C2-compliant (or
    more to the point, "CAPP compliant", which is the new version of C2 as
    Casey will quite rightly point out if I don't mention it here ;)
    Instead, we were trying to take quite a few years of working with audit
    trails on various operating systems (AIX, SunOS / Solaris, Windows,
    Unicos, + others) and a whole bunch of organisations (including DSD -
    Australias' infosec authority), and distill the more useful aspects into
    an auditing subsystem that makes audit configuration and analysis into
    less of a chore, and more of a resource.
    SNARE is currently in use within the Australian Department of Defence,
    has been evaluate by MITRE, and is one of the key 100-or-so open source
    tools identified recently in the Defense Information Systems Agency
    (DISA) report on the "Use of open-source software in the US Department
    of Defense". A FAQ on the same subject ("DoD Q&A on Use of Open Source
    Software") states in part, "Tools such as SARA, Snort, SNARE, and ACID
    protect networks by preemptively finding security vulnerabilities, and
    by watching for attempts to break into networks.". SNARE has also had a
    few reviews - have a look at the following links if you're interested:
    The method that SNARE uses to grab audit events is not an optimal
    solution, and there needs to be a better long term plan. As such, our
    goal is to migrate SNARE into a LSM-capable module, and we have already
    taken a few steps along that path. Once the LSM hooks we need are
    available in an operational kernel, we're hoping to move SNARE in this
    direction. However, in parallel, we're working to look at the options
    associated with direct inclusion - I'm not really sure at this point in
    time whether auditing should be a core capability (ie: built in), or
    should be available as a module, and would welcome feedback on this. The
    guys from RedHat have given quite a bit of assistance towards
    direct-kernel integration, and were considering including snare in 8.0.
    The Mandrake security guys are also interested - but unfortunately,
    we've had too much work on recently to follow these up these
    opportunities. However, we now have a development kernel with integrated
    SNARE, that offers around 90% functionality of the snare kernel module -
    so at least, we have options.
    As to other options, unfortunately the guys responsible for linuxBSM
    have gone on to bigger and better things (their work was a great
    inspiration for our code however). Casey and the guys at SGI were
    working towards a fully CAPP compliant implementation, and HP had
    something of an audit capability working in their "Secure linux"
    distribution (which they recently canned apparently?).. Other than this,
    you might be interested in a tool called 'syscalltrack'. Although
    predominantly designed as a debugging tool, it can be used for auditing
    system calls..
    So in summary:
    * Snare is here, now, and works on most modern distributions.
    * Snare is NOT strictly C2/CAPP, but has similar goals.
    * Our long term plan is to move to a LSM module if possible, though a
    kernel patch (or integration into key distributions) is also a
    1) We would definitely welcome any contributions to SNARE.
    2) If anyone is interested, we've just finished off Snare for Solaris /
    Snare for Windows - both GPL. Drop me a mail if anyone is interested in
    beta testing.
    Hope this helps!
    On Sat, 2003-01-25 at 13:47, Nathan Bardsley wrote:
    > Hello everyone.  I'm trying to find out what the current status of 
    > c2-like auditing for Linux is.  The most recent info I've found has been 
    > on the LSM list from the summer of 2001, almost 18 months ago.  The only 
    > linuxBSM release is over two years old.  The documents for linux-privs 
    > seem to have sufficent detail, but it looks like the implementation 
    > hasn't gotten that far.
    > I'm wondering how feasible it is to get that level of auditing into a 
    > modern Linux distribution (hypothetically speaking Red Hat 7.2).  If it 
    > is feasible, either as source code or a product, I'm very interested in 
    > expert opinions on how quickly it could be made real.
    > Thanks for your time.
    > --Nathan
    Leigh Purdie, Director - InterSect Alliance Pty Ltd
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 21:11:46 PST