[linux-security] Re: You got some 'splaininn to do Lucy ;-)

[Oliver Xymoron <oxymoron waste org>]

On Wed, 28 Jul 1999, Stuart Staniford-Chen wrote:

> [Message from linux-security redhat com cc:d to open-source csl sri com also]
> 
> Kirwan Marty wrote:
> > 
> > We just had a security application vendor come in.  We asked about Linux
> > support and he said that putting a security application on top of an
> > insecure OS was useless.  When I asked what he meant by insecure he replied
> > that Linux does not have a true Auditing capability - as opposed to HP-UX &
> > Solaris which they do support.  Can anyone explain to me what he was talking
> > about?
> 
> He's probably referring to OS system call auditing - ie the ability to create
> an audit trail of all the system calls that were issued along with anciliary
> information (the UID, PID, etc of the caller, the arguments and return code
> of the system call, etc).  Having this information is a requirement of the
> DOD "Orange Book" criteria for a system to be rated C2 or above.
> 
> This information is mostly of value to host based Intrusion Detection systems
> which examine the audit trail looking for evidence of break-ins or
> misbehaviour.  
> 
> AFAIK, there isn't an audit trail for Linux.  Anyone know of any projects to
> create one?  How about other free Unix-like systems?

If it's not already doable with ptrace(), it should be a trivial
extension. It's just in user-space, rather than in the kernel. 

At best, auditing is a race anyway. A knowledgeable intruder[1] who
attains root can probably kill or spoof such local auditing before the
alarm is sounded.

--
 "Love the dolphins," she advised him. "Write by W.A.S.T.E.."