Re: SELinux, LSM, SNARE ...

Sunday, 13 February 2005

Mike,

I can probably answer parts of your email. :)

We're hoping that Snare 0.9.7 will be the last one that actually
requires it's own custom kernel-level changes.

With a little luck, the next version of Snare will piggy-back on the
kernel changes you're seeing on the linux-audit list, providing some
extra capabilities & a nice user interface.

If Snare's extra features prove to be useful to a fair number of people,
then they may be rolled into the mainstream daemon at some point in the
future.

The current snare package (kernel + daemon + gui) probably has a role to
play in the next 12-18 months, until the key distributions integrate the
stable auditing code and start to become widespread, but the kernel side
of Snare should be considered to be in 'maintenance mode' only. The
daemon & gui will continue, and we'll try to preserve your existing
config as much as possible under the new kernel infrastructure.

So where to spend your time? Up to you obviously, but probably Snare for
older distributions (particularly 2.4 based), and the new audit
subsystem for any distributions that come out 3-6 months from now.
Hopefully Snare will help you ease the transition to the new code by
providing a familiar interface.

Leigh.

On Fri, 2005-02-11 at 13:23 -0500, M. Fecina wrote:
...
 All,

 I've been a lurking member of the SNARE development list
 and this list for quite some time.  My place of employment
 has need to meet NISPOM CH.8 requirements on Linux systems.
 Thus far, we've been using Leigh's SNARE 0.9.7 audit daemon
 with the necessary kernel patches.

 However, with all of the patches and progress being made
 on SELinux, I'm wondering what the comparison is between
 SNARE and SELinux.  I know SELinux is built-in to the 2.6
 kernel tree, and in conjunction with some userspace daemons (auditd),
 it can provide audit trails.

 Can anyone on this list tell me their thoughts on using SELinux
 to meet all the functionality that SNARE has (minus the front-end GUI)
 and to meet NISPOM ch.8 requirements?  What do I need to get SELinux to
 provide a similar implementation as SNARE?  Is there *one* place where
 all of the patches everyone has made on this list are rolled into?

 I'd like to know where I should be spending my time -- SNARE or SELinux.

 Thanks,
 M. Fecina
  -- 
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: SELinux, LSM, SNARE ...