[2178] in linux-security and linux-alert archive
[linux-security] Re: You got some 'splaininn to do Lucy ;-)
daemon@ATHENA.MIT.EDU (Stuart Staniford-Chen)
Thu Jul 29 03:14:29 1999
Date: Wed, 28 Jul 1999 16:45:48 -0700
From: Stuart Staniford-Chen <stuart@SiliconDefense.com>
To: Kirwan Marty <Kirwan_Marty@prc.com>
CC: linux-security@redhat.com,
Robust-Open-Source List <open-source@csl.sri.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
[Message from linux-security@redhat.com cc:d to open-source@csl.sri.com also]
Kirwan Marty wrote:
>
> We just had a security application vendor come in. We asked about Linux
> support and he said that putting a security application on top of an
> insecure OS was useless. When I asked what he meant by insecure he replied
> that Linux does not have a true Auditing capability - as opposed to HP-UX &
> Solaris which they do support. Can anyone explain to me what he was talking
> about?
He's probably referring to OS system call auditing - ie the ability to create
an audit trail of all the system calls that were issued along with anciliary
information (the UID, PID, etc of the caller, the arguments and return code
of the system call, etc). Having this information is a requirement of the
DOD "Orange Book" criteria for a system to be rated C2 or above.
This information is mostly of value to host based Intrusion Detection systems
which examine the audit trail looking for evidence of break-ins or
misbehaviour.
AFAIK, there isn't an audit trail for Linux. Anyone know of any projects to
create one? How about other free Unix-like systems?
Assuming there isn't, the argument "Our host based IDS cannot work on Linux
because it doesn't provide any audit data for us to use," is fair enough.
The argument, "Our <some other kind of security application> doesn't work on
Linux because the fact that Linux doesn't have an audit trail proves Linux is
not secure enough" is bull.
Stuart Staniford-Chen
--
Stuart Staniford-Chen --- President --- Silicon Defense
stuart@silicondefense.com
(707) 822-4588 (707) 826-7571 (FAX)
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
