SNARE and C2 auditing under 2.5.x

SNARE and C2 auditing under 2.5.x

[Chuck Ebbert]

> I may be repeating this question, but is there an effort to brigning 
> snare code to 2.5.x?

  Nah, auditing isn't needed to run a secure system.  ;)

Re: SNARE and C2 auditing under 2.5.x

[Bernd Eckenfels]

In article <200305210642_MC3-1-39D2-5928@compuserve.com> you wrote:
>  Nah, auditing isn't needed to run a secure system.  ;)

Besides C2 is totally anachronistical, anyway.

Even Windows 2000 now offers some Protection Profiles from the Common
Criteria EAL4+FLR für ControledAccessProtectionProfile(CAPP).

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: SNARE and C2 auditing under 2.5.x

[Alan Cox]

On Mer, 2003-05-21 at 20:26, Bernd Eckenfels wrote:
> In article <200305210642_MC3-1-39D2-5928@compuserve.com> you wrote:
> >  Nah, auditing isn't needed to run a secure system.  ;)
> 
> Besides C2 is totally anachronistical, anyway.
> 
> Even Windows 2000 now offers some Protection Profiles from the Common
> Criteria EAL4+FLR für ControledAccessProtectionProfile(CAPP).

EAL4 if you read it is not for a hostile environment, so its not even 
good enough for a typical university lab 8)

Re: SNARE and C2 auditing under 2.5.x

[Jakob Oestergaard]

On Wed, May 21, 2003 at 09:26:15PM +0200, Bernd Eckenfels wrote:
> In article <200305210642_MC3-1-39D2-5928@compuserve.com> you wrote:
> >  Nah, auditing isn't needed to run a secure system.  ;)
> 
> Besides C2 is totally anachronistical, anyway.
> 

Logging is *not* anachronistical.

>From C2: "2.2.2.2 Audit"

"The TCP shall be able to create, maintain, and protect from
modification or unauthorized access. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data. The TCB shall be able to record the following
types of events: use of identification and authentication mechanisms,
introduction of objects into a user's address space (e.g., fileopen,
program initiation), deletion of objects, actions taken by computer
operators and system administrators and/or system security officers, and
other security relevant events. For each recorded event, the audit reord
shall identify: date and time of the event, user, type of event, and
success or failure of that event. For identification/authentication
events the origin of request (e.g., terminal ID) shall be included in
the audit record. For events that introduce an object into a user's
address space and for object deletion events the audit record shall
include the name of the object. The ADP system administrator shall be
able to selectively audit the actions of any one or more users based on
individual identity."


> Even Windows 2000 now offers some Protection Profiles from the Common
> Criteria EAL4+FLR für ControledAccessProtectionProfile(CAPP).

EAL4 means "we're pretty sure the system does X"

It does not say that X is anything remotely related to security.  The
"AL" in EAL is for "Assurance Level", how certain you are that the
system behaves according to specification. It's not about the security
features of your specification.

Ever wondered why Solaris 8 and Trusted Solaris 8 both have EAL4 ?

You say C2 auditing is anachronistical - but NOT EVEN having THAT is
most certainly not a mark of distinction.

And in fact, your average syslog setup is NOT guaranteed to store the
log events as required by C2. Some information is missing, and you do
not have guarantees that events that *are* generated by the system,
actually reach the log.

This is very very far from being impressive.  C2 is not the end all and
be all, but it's auditing requirements are pretty good (for systems that
only have discretionary access controls) and efforts to bring this kind
of auditing to Linux should certainly not be frowned upon.

That's my 0.02 Euro at least

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:

SNARE and C2 auditing under 2.5.x

[Red Phoenix]

Sorry for the late reply - I've only just spotted the May 21 thread.

>I may be repeating this question, but is there an effort to brigning
>snare code to 2.5.x?

If people are interested, then definitely!

I'm about 80% of the way through a kernel-patch version of snare, and have 
it working nicely on a 2.4.18 based system. I'm just about to try and 
re-apply the changes to 2.4.20 tonight.

For those that don't know, Snare is a C2-style auditing capability, roughly 
analagous to Solaris BSM, or the Windows EventLog subsystem. Until recently, 
Snare existed as a kernel module that used sys_call_table to overlay 
auditing functionality on a bunch of system calls (yes, I know - it should 
be the 8th deadly sin ;). It's now being retooled as a kernel patch.

I've heard through the grapevine that Snare is a required part of the US DoD 
Common Operating Environment for Linux installations, has been evaluated by 
mitre.org, was one of the apps in the 'use of open source tools in the DoD' 
report that came out a while back, is in use inside the Aussie intelligence 
community (no jokes about contradictions please ;), was recently featured at 
SANS, and is also part of RH Adv Server... so it's probably becoming too 
popular to run as a 'two occasional developers' project - at least for the 
kernel components.

Although I've been working with audit logs on a bunch of systems for 
many-a-year, my kernel experience is limited, so although the RH kernel team 
has helped out in the past, and AC has offered to cast an eye or two over 
the code, it's probably time that we consider including more capable hands 
in the development process - any assistance, or suggestions on the way 
forward, would definitely be welcome!

Regards,

Leigh. (please cc me in replies - Leigh [dot] Purdie at intersectalliance 
DOT com)

.. sorry in advance for any hotmail crud below - front-line spam defence..

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

SNARE and C2 auditing under 2.5.x

[Ahmed Masud]

Hi alan:

I may be repeating this question, but is there an effort to brigning 
snare code to 2.5.x? If so, who is heading it? If there is no effort can 
i submit some stuff to you since you are (were?) involved with snare?

Cheers,

Ahmed.