Re: Auditing - Snare, LAuS, SELinux

On Wed, Sep 08, 2004 at 11:33:23AM +0200, Thomas Biege wrote: | | Such a setup is even prone to more errors resulting in problems while | doing post-mortem analysis. | | If someone has root to trash the hdd he is even able to delete log entries | no matter of the format. (btw: text, binary, it's all data. so just | using the right tools to grep can help...) Yes, if the data is formatted in such a way as to make that process simple, either through adequately descriptive binary encoding or by the use of some visually easily processed text format. I could see putting some redundancy and event numbering / date information into a binary format so that such custom tools could be written to scan for blocks on disk, but I can also imagine binary encodings that attempted to be parsimonious on space at the cost of retrievability in the event of a partial log host disk failure, and etc. I babble. I would rather see a textual format as well, just to aid in the programmatic analysis of the log files, but an openly documented binary format, with free code in the wild for doing analysis (Perl, Python modules..) would be a good second, there. | In an ideal setup logs are signed, encrypted, and sent away over a | dedicated secure network to a secure log host on-the-fly. | Keeping the logs only on the disc of an exposed machine is... stupid. :) Yet, completely adequate to the NISPOM Ch. 8, PL 1 regulations in the United States, oddly enough. Those regulations clearly say 'yeah, if your attacker has root, we don't really expect you to be able to do anything reliable in your auditing'. That doesn't make it not stupid, of course. ;-) Snare does come out of the box with support for remote logging and analysis. | Enhancing Rik's framework with LAuS code is really the best choice in my | opinion. So what are the low-level advantages of Rik's framework over LAuS, again? Just the low free trapping of syscalls in the non-audited case, and its current acceptance into the 2.6 line? What kind of userland tools are necessary now to really make audit.rik useful? Jon | Bye, | Thomas | -- | Thomas Biege <thomas(a)suse.de&gt;, SUSE LINUX AG, Security Support & Auditing | -- | Anyone who considers arithmetical methods of producing | random numbers is, of course, in a state of sin. | -- John von Neumann | | -- | Linux-audit mailing list | Linux-audit(a)redhat.com | http://www.redhat.com/mailman/listinfo/linux-audit -- ------------------------------------------------------------------------------- Jonathan Abbey jonabbey(a)arlut.utexas.edu Applied Research Laboratories The University of Texas at Austin GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg