G'day Nathan, (All: FYI / Comment) Snare (www.intersectalliance.com/projects/Snare/index.html) is designed to be a C2-style audit capability for Linux, and works on RH7.2 (as well as 7.1, 7.3, and as of last night, 8.0, plus Suse / Mandrake, and Debian Woody+). Snare operates as a kernel module (at present), and so no kernel recompiles are required. There is also a user-space audit daemon, and a configuration/monitoring GUI available as an open-source/free download. Note however, that although we were attempting to meet the general principals of C2, we did not design it to be strictly C2-compliant (or more to the point, "CAPP compliant", which is the new version of C2 as Casey will quite rightly point out if I don't mention it here ;) Instead, we were trying to take quite a few years of working with audit trails on various operating systems (AIX, SunOS / Solaris, Windows, Unicos, + others) and a whole bunch of organisations (including DSD - Australias' infosec authority), and distill the more useful aspects into an auditing subsystem that makes audit configuration and analysis into less of a chore, and more of a resource. SNARE is currently in use within the Australian Department of Defence, has been evaluate by MITRE, and is one of the key 100-or-so open source tools identified recently in the Defense Information Systems Agency (DISA) report on the "Use of open-source software in the US Department of Defense". A FAQ on the same subject ("DoD Q&A on Use of Open Source Software") states in part, "Tools such as SARA, Snort, SNARE, and ACID protect networks by preemptively finding security vulnerabilities, and by watching for attempts to break into networks.". SNARE has also had a few reviews - have a look at the following links if you're interested: http://www.samag.com/documents/s=7467/sam0208a/0208a.htm http://www.infoworld.com/articles/tc/xml/02/01/28/020128tcsnare.xml The method that SNARE uses to grab audit events is not an optimal solution, and there needs to be a better long term plan. As such, our goal is to migrate SNARE into a LSM-capable module, and we have already taken a few steps along that path. Once the LSM hooks we need are available in an operational kernel, we're hoping to move SNARE in this direction. However, in parallel, we're working to look at the options associated with direct inclusion - I'm not really sure at this point in time whether auditing should be a core capability (ie: built in), or should be available as a module, and would welcome feedback on this. The guys from RedHat have given quite a bit of assistance towards direct-kernel integration, and were considering including snare in 8.0. The Mandrake security guys are also interested - but unfortunately, we've had too much work on recently to follow these up these opportunities. However, we now have a development kernel with integrated SNARE, that offers around 90% functionality of the snare kernel module - so at least, we have options. As to other options, unfortunately the guys responsible for linuxBSM have gone on to bigger and better things (their work was a great inspiration for our code however). Casey and the guys at SGI were working towards a fully CAPP compliant implementation, and HP had something of an audit capability working in their "Secure linux" distribution (which they recently canned apparently?).. Other than this, you might be interested in a tool called 'syscalltrack'. Although predominantly designed as a debugging tool, it can be used for auditing system calls.. So in summary: * Snare is here, now, and works on most modern distributions. * Snare is NOT strictly C2/CAPP, but has similar goals. * Our long term plan is to move to a LSM module if possible, though a kernel patch (or integration into key distributions) is also a possibility. BTW: 1) We would definitely welcome any contributions to SNARE. 2) If anyone is interested, we've just finished off Snare for Solaris / Snare for Windows - both GPL. Drop me a mail if anyone is interested in beta testing. Hope this helps! Regards, Leigh. On Sat, 2003-01-25 at 13:47, Nathan Bardsley wrote: > Hello everyone. I'm trying to find out what the current status of > c2-like auditing for Linux is. The most recent info I've found has been > on the LSM list from the summer of 2001, almost 18 months ago. The only > linuxBSM release is over two years old. The documents for linux-privs > seem to have sufficent detail, but it looks like the implementation > hasn't gotten that far. > > I'm wondering how feasible it is to get that level of auditing into a > modern Linux distribution (hypothetically speaking Red Hat 7.2). If it > is feasible, either as source code or a product, I'm very interested in > expert opinions on how quickly it could be made real. > > Thanks for your time. > > --Nathan -- Leigh Purdie, Director - InterSect Alliance Pty Ltd http://www.intersectalliance.com/ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 21:11:46 PST