[linux-security] Re: You got some 'splaininn to do Lucy ;-)

[Stuart Staniford-Chen <stuart SiliconDefense com>]

[Message from linux-security redhat com cc:d to open-source csl sri com also]

Kirwan Marty wrote:
> 
> We just had a security application vendor come in.  We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless.  When I asked what he meant by insecure he replied
> that Linux does not have a true Auditing capability - as opposed to HP-UX &
> Solaris which they do support.  Can anyone explain to me what he was talking
> about?

He's probably referring to OS system call auditing - ie the ability to create
an audit trail of all the system calls that were issued along with anciliary
information (the UID, PID, etc of the caller, the arguments and return code
of the system call, etc).  Having this information is a requirement of the
DOD "Orange Book" criteria for a system to be rated C2 or above.

This information is mostly of value to host based Intrusion Detection systems
which examine the audit trail looking for evidence of break-ins or
misbehaviour.  

AFAIK, there isn't an audit trail for Linux.  Anyone know of any projects to
create one?  How about other free Unix-like systems?

Assuming there isn't, the argument "Our host based IDS cannot work on Linux
because it doesn't provide any audit data for us to use," is fair enough. 
The argument, "Our <some other kind of security application> doesn't work on
Linux because the fact that Linux doesn't have an audit trail proves Linux is
not secure enough" is bull.

Stuart Staniford-Chen

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)