From: "Red Phoenix" <redph0enix@hotmail.com>
To: linux-kernel@vger.kernel.org
Subject: SNARE and C2 auditing under 2.5.x
Date: Tue, 10 Jun 2003 23:57:39 +1200 [thread overview]
Message-ID: <Sea2-F56iZAtGYkNUTv0001fda1@hotmail.com> (raw)
Sorry for the late reply - I've only just spotted the May 21 thread.
>I may be repeating this question, but is there an effort to brigning
>snare code to 2.5.x?
If people are interested, then definitely!
I'm about 80% of the way through a kernel-patch version of snare, and have
it working nicely on a 2.4.18 based system. I'm just about to try and
re-apply the changes to 2.4.20 tonight.
For those that don't know, Snare is a C2-style auditing capability, roughly
analagous to Solaris BSM, or the Windows EventLog subsystem. Until recently,
Snare existed as a kernel module that used sys_call_table to overlay
auditing functionality on a bunch of system calls (yes, I know - it should
be the 8th deadly sin ;). It's now being retooled as a kernel patch.
I've heard through the grapevine that Snare is a required part of the US DoD
Common Operating Environment for Linux installations, has been evaluated by
mitre.org, was one of the apps in the 'use of open source tools in the DoD'
report that came out a while back, is in use inside the Aussie intelligence
community (no jokes about contradictions please ;), was recently featured at
SANS, and is also part of RH Adv Server... so it's probably becoming too
popular to run as a 'two occasional developers' project - at least for the
kernel components.
Although I've been working with audit logs on a bunch of systems for
many-a-year, my kernel experience is limited, so although the RH kernel team
has helped out in the past, and AC has offered to cast an eye or two over
the code, it's probably time that we consider including more capable hands
in the development process - any assistance, or suggestions on the way
forward, would definitely be welcome!
Regards,
Leigh. (please cc me in replies - Leigh [dot] Purdie at intersectalliance
DOT com)
.. sorry in advance for any hotmail crud below - front-line spam defence..
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
next reply other threads:[~2003-06-10 11:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-10 11:57 Red Phoenix [this message]
2003-06-10 14:42 ` 536EP linux winmodem Nicolas
2003-06-11 19:54 ` Pavel Machek
2003-06-12 7:24 ` Nicolas
-- strict thread matches above, loose matches on Subject: below --
2003-05-21 10:40 SNARE and C2 auditing under 2.5.x Chuck Ebbert
2003-05-21 19:26 ` Bernd Eckenfels
2003-05-21 22:56 ` Alan Cox
2003-05-23 11:55 ` Jakob Oestergaard
2003-05-17 11:31 Ahmed Masud
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Sea2-F56iZAtGYkNUTv0001fda1@hotmail.com \
--to=redph0enix@hotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox