3:48 p.m.
Steve,
Audit 1.6.7 prelude event adds look great - the extra info in the
prelude manager is very good.
Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)? Also - gotta ask
- user logins but not logoffs?
Thanks,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
4:04 p.m.
On Wednesday 06 February 2008 16:48:14 LC Bruzenak wrote:
Events: In the audisp code I see most of the AUDIT_ANOM
"biggies" but
not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
That one is still TBD. I needed the define in libaudit.h so I could use it
later. I have to patch a few user space utilities to send the event.
Also - gotta ask user logins but not logoffs?
Logoffs have to be determined from session information. So, it takes some
extra logic to deduce. Also failed logins are pretty important as you may be
under attack, while logoffs you are never under attack. So, I don't know if
logoffs are worthy of an IDS alert. However, it would be fine for something
like an aulast command. Would that be helpful or do you see an IDS angle I'm
missing? Its a good question, though.
Thanks,
-Steve
4:19 p.m.
On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said:
Logoffs have to be determined from session information. So, it takes
some
extra logic to deduce. Also failed logins are pretty important as you may be
under attack, while logoffs you are never under attack. So, I don't know if
logoffs are worthy of an IDS alert. However, it would be fine for something
like an aulast command. Would that be helpful or do you see an IDS angle I'm
missing? Its a good question, though.
I don't have much use for an IDS alert on logoff, unless it's a session that is
automagically logged in at boot and not supposed to logout - usually running a
captive kiosk or system-monitoring tool (but in those cases, the program can
usually be modified or wrapped to generate its own "Yow I exited unexpectedly"
alerts). On the other hand, having some sort of '*last' capability is almost
always useful when you're trying to figure out what happened - "Fred left the
office at 5PM, but his session was there till 11PM, and something odd happened
at 10:30PM". Usually means either Fred didn't in fact leave, or Fred left the
session unlocked and you have a too-clued janitor on the payroll.. :)
4:33 p.m.
On Wednesday 06 February 2008 17:04:12 Steve Grubb wrote:
> Events: In the audisp code I see most of the AUDIT_ANOM
"biggies" but
> not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
That one is still TBD. I needed the define in libaudit.h so I could use it
later. I have to patch a few user space utilities to send the event.
It occurred to me that I didn't fully answer this. The plugin right now is
intended to be a usable proof of concept test. I only wanted to cover
the "easy" ones. The other anomaly events would be covered in future versions
of the plugin, but they generally require some work to get functioning. At
this point, I'm interested in feedback and maybe some ideas about what kinds
of alerts people might be interested in.
One thing I ran into writing my plugins is that I think IDMEF is really more
suited to NIDS rather than HIDS. I have been discussing this with the prelude
developers and will write up my findings later. To really do a good job, I
think the standard needs to change a little.
For example, when you get an AVC, you need to see the syscall record in order
to decide what the impact really is. Without the syscall record, you don't
know if the system was in permissive mode at the time if the syscall. So you
cannot conclude whether they succeeded or failed. The IDMEF standard has no
way to say the result was indeterminate.
So, it may take a while to get this plugin exactly the way I want since it may
take some standards work to be able to express all the information that an
audit system has available.
-Steve
6163
days inactive
6163
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
LC Bruzenak -
Steve Grubb -
Valdis.Kletnieks@vt.edu