G'day Nathan, (All: FYI / Comment)
Snare (www.intersectalliance.com/projects/Snare/index.html) is designed
to be a C2-style audit capability for Linux, and works on RH7.2 (as well
as 7.1, 7.3, and as of last night, 8.0, plus Suse / Mandrake, and Debian
Woody+). Snare operates as a kernel module (at present), and so no
kernel recompiles are required. There is also a user-space audit daemon,
and a configuration/monitoring GUI available as an open-source/free
download.
Note however, that although we were attempting to meet the general
principals of C2, we did not design it to be strictly C2-compliant (or
more to the point, "CAPP compliant", which is the new version of C2 as
Casey will quite rightly point out if I don't mention it here ;)
Instead, we were trying to take quite a few years of working with audit
trails on various operating systems (AIX, SunOS / Solaris, Windows,
Unicos, + others) and a whole bunch of organisations (including DSD -
Australias' infosec authority), and distill the more useful aspects into
an auditing subsystem that makes audit configuration and analysis into
less of a chore, and more of a resource.
SNARE is currently in use within the Australian Department of Defence,
has been evaluate by MITRE, and is one of the key 100-or-so open source
tools identified recently in the Defense Information Systems Agency
(DISA) report on the "Use of open-source software in the US Department
of Defense". A FAQ on the same subject ("DoD Q&A on Use of Open Source
Software") states in part, "Tools such as SARA, Snort, SNARE, and ACID
protect networks by preemptively finding security vulnerabilities, and
by watching for attempts to break into networks.". SNARE has also had a
few reviews - have a look at the following links if you're interested:
http://www.samag.com/documents/s=7467/sam0208a/0208a.htm
http://www.infoworld.com/articles/tc/xml/02/01/28/020128tcsnare.xml
The method that SNARE uses to grab audit events is not an optimal
solution, and there needs to be a better long term plan. As such, our
goal is to migrate SNARE into a LSM-capable module, and we have already
taken a few steps along that path. Once the LSM hooks we need are
available in an operational kernel, we're hoping to move SNARE in this
direction. However, in parallel, we're working to look at the options
associated with direct inclusion - I'm not really sure at this point in
time whether auditing should be a core capability (ie: built in), or
should be available as a module, and would welcome feedback on this. The
guys from RedHat have given quite a bit of assistance towards
direct-kernel integration, and were considering including snare in 8.0.
The Mandrake security guys are also interested - but unfortunately,
we've had too much work on recently to follow these up these
opportunities. However, we now have a development kernel with integrated
SNARE, that offers around 90% functionality of the snare kernel module -
so at least, we have options.
As to other options, unfortunately the guys responsible for linuxBSM
have gone on to bigger and better things (their work was a great
inspiration for our code however). Casey and the guys at SGI were
working towards a fully CAPP compliant implementation, and HP had
something of an audit capability working in their "Secure linux"
distribution (which they recently canned apparently?).. Other than this,
you might be interested in a tool called 'syscalltrack'. Although
predominantly designed as a debugging tool, it can be used for auditing
system calls..
So in summary:
* Snare is here, now, and works on most modern distributions.
* Snare is NOT strictly C2/CAPP, but has similar goals.
* Our long term plan is to move to a LSM module if possible, though a
kernel patch (or integration into key distributions) is also a
possibility.
BTW:
1) We would definitely welcome any contributions to SNARE.
2) If anyone is interested, we've just finished off Snare for Solaris /
Snare for Windows - both GPL. Drop me a mail if anyone is interested in
beta testing.
Hope this helps!
Regards,
Leigh.
On Sat, 2003-01-25 at 13:47, Nathan Bardsley wrote:
> Hello everyone. I'm trying to find out what the current status of
> c2-like auditing for Linux is. The most recent info I've found has been
> on the LSM list from the summer of 2001, almost 18 months ago. The only
> linuxBSM release is over two years old. The documents for linux-privs
> seem to have sufficent detail, but it looks like the implementation
> hasn't gotten that far.
>
> I'm wondering how feasible it is to get that level of auditing into a
> modern Linux distribution (hypothetically speaking Red Hat 7.2). If it
> is feasible, either as source code or a product, I'm very interested in
> expert opinions on how quickly it could be made real.
>
> Thanks for your time.
>
> --Nathan
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 21:11:46 PST