[linux-security] Re: You got some 'splaininn to do Lucy ;-)

["R. DuFresne" <dufresne sysinfo com>]

I don't know, isn't process auditing more useful for insiders doing hacks
to the system then outsiders?  PRocess auditing is one way time shared
systems track useage data so as to help charge effectively, and to track
buggy apps and those insiders trying to hack up to a user level they are
not given on the system.

Thanks,

Ron DuFresne

P.S.:

more /usr/local/src/auditd/COPYING

/*-
 *
 * Audit Daemon for Linux (v1.11)
 * Markus Wolf <klog hert org>, Promisc Security
 *
 * Copyright (C) 1999 Hacker Emergency Response Team
 * http://www.hert.org
 *
 * This file is part of Audit Daemon
 *
...
more /usr/local/src/auditd/INSTALL

  !!! PATCH NOT AVAILABLE FOR 2.2.0 YET !!!

If you already installed a previous version of auditd:

        # patch -d /usr/src -R < [old_audit.patch]

To install the new auditd:

        # vi Makefile
        # vi audit.h
        # make
        # make install
        # ./kpatch
        # cd /usr/src/linux
        # make clean;make depend;make zlilo
        # reboot

Good luck !


On Wed, 28 Jul 1999, Stuart Staniford-Chen wrote:

> 
> [Message from linux-security redhat com cc:d to open-source csl sri com also]
> 
> Kirwan Marty wrote:
> > 
> > We just had a security application vendor come in.  We asked about Linux
> > support and he said that putting a security application on top of an
> > insecure OS was useless.  When I asked what he meant by insecure he replied
> > that Linux does not have a true Auditing capability - as opposed to HP-UX &
> > Solaris which they do support.  Can anyone explain to me what he was talking
> > about?
> 
> He's probably referring to OS system call auditing - ie the ability to create
> an audit trail of all the system calls that were issued along with anciliary
> information (the UID, PID, etc of the caller, the arguments and return code
> of the system call, etc).  Having this information is a requirement of the
> DOD "Orange Book" criteria for a system to be rated C2 or above.
> 
> This information is mostly of value to host based Intrusion Detection systems
> which examine the audit trail looking for evidence of break-ins or
> misbehaviour.  
> 
> AFAIK, there isn't an audit trail for Linux.  Anyone know of any projects to
> create one?  How about other free Unix-like systems?
> 
> Assuming there isn't, the argument "Our host based IDS cannot work on Linux
> because it doesn't provide any audit data for us to use," is fair enough. 
> The argument, "Our <some other kind of security application> doesn't work on
> Linux because the fact that Linux doesn't have an audit trail proves Linux is
> not secure enough" is bull.
> 
> Stuart Staniford-Chen
> 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!