[linux-security] Re: You got some 'splaininn to do Lucy ;-)

[Stuart Staniford-Chen <stuart SiliconDefense com>]

"R. DuFresne" wrote:
> 
> I don't know, isn't process auditing more useful for insiders doing hacks
> to the system then outsiders?  PRocess auditing is one way time shared
> systems track useage data so as to help charge effectively, and to track
> buggy apps and those insiders trying to hack up to a user level they are
> not given on the system.

There's two different systems - almost all Unix[-like] systems (inc Redhat)
by default have process accounting ("man acct", "man lastcomm").  It
basically measures how much of various resources a given execution of a
program uses.  (Eg cpu usage etc).  That system was originally developed so
that users could be charged for their computer use (back in the days when
computers were expensive).  It is also somewhat useful for security analysis,
and some research IDS systems have made use of the data (eg SRI's NIDES
system attempted to distinguish someone masquerading as a different user if
the statistical distribution of the commands they used changed suddenly; 
NIDES obtained this information from process accounting).  AFAIK, commercial
IDS systems don't make use of process accounting.

System call auditing is much more detailed - every goddamn system call a
process makes is recorded (well, usually it's configurable exactly what
system calls are audited).  It is *only* useful for security purposes. 
Commercial host based IDS systems use it.  And yes, it's mainly useful for
detecting illegal transitions to root.

> 
> more /usr/local/src/auditd/COPYING

Thanks for the pointer!  I'll have to play with it.

Stuart.


-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)