[2190] in linux-security and linux-alert archive
[linux-security] Re: You got some 'splaininn to do Lucy ;-)
daemon@ATHENA.MIT.EDU (Oliver Xymoron)
Sat Jul 31 04:00:30 1999
Date: Fri, 30 Jul 1999 18:23:55 -0500 (CDT)
From: Oliver Xymoron <oxymoron@waste.org>
To: Stuart Staniford-Chen <stuart@SiliconDefense.com>
cc: linux-security@redhat.com,
Robust-Open-Source List <open-source@csl.sri.com>
In-Reply-To: <379F962C.7D77D434@SiliconDefense.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Wed, 28 Jul 1999, Stuart Staniford-Chen wrote:
> [Message from linux-security@redhat.com cc:d to open-source@csl.sri.com also]
>
> Kirwan Marty wrote:
> >
> > We just had a security application vendor come in. We asked about Linux
> > support and he said that putting a security application on top of an
> > insecure OS was useless. When I asked what he meant by insecure he replied
> > that Linux does not have a true Auditing capability - as opposed to HP-UX &
> > Solaris which they do support. Can anyone explain to me what he was talking
> > about?
>
> He's probably referring to OS system call auditing - ie the ability to create
> an audit trail of all the system calls that were issued along with anciliary
> information (the UID, PID, etc of the caller, the arguments and return code
> of the system call, etc). Having this information is a requirement of the
> DOD "Orange Book" criteria for a system to be rated C2 or above.
>
> This information is mostly of value to host based Intrusion Detection systems
> which examine the audit trail looking for evidence of break-ins or
> misbehaviour.
>
> AFAIK, there isn't an audit trail for Linux. Anyone know of any projects to
> create one? How about other free Unix-like systems?
If it's not already doable with ptrace(), it should be a trivial
extension. It's just in user-space, rather than in the kernel.
At best, auditing is a race anyway. A knowledgeable intruder[1] who
attains root can probably kill or spoof such local auditing before the
alarm is sounded.
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
