Auditing draft extension--IDS modules and network audit packets

Robert Watson robert at
Wed Apr 14 13:42:33 GMT 1999

In my previous email, I mention extensions to the auditing API.  I'd like
to raise the idea of a portable IDS interface for pluggable intrusion
detection modules.  I would guess POSIX doesn't talk in any way about
dynamic linking :), but my intent was to provide a uniform hook interface,
and allow an audit daemon to link in a list of modules, each of which knew
the properties of a particular set of attacks or suspicious behavior (or
whatever), and could then use a standard API to ask the audit daemon to
modify its behavior, raise alarms, etc.  The most basic interface would
presumably simply consist of modulename_gimmerecords(aud_rec_t rec), which
would be given a temporary reference to an incoming audit record.  More
complicated mechanisms might allow filtering, and in the case of an
IPC-based model, access control.  POSIX presumably could describe an
IPC-based mechanism for requesting an audit record stream, and then the
assumption that audit records flow in their native format over the pipe
(or the like). 
Another issue raised on the FreeBSD list was a packet format for audit
records; of particular interest was the possibility of shipping records
straight from the kernel onto the network; an appropriate packet format
would presumably be independent of where the records were generated, but
perhaps some work on such a format here would be appropriate.  Again, the
most basic first glance would require consideration of reliability issues,
authentication, privacy, a platform-independent and also
architecture-indepdent wire format, etc. 

Any thoughts in this area would be greatly welcome; it will be a few weeks
before I start to look seriously at features such as these (in that time I
have to finish my thesis and a number of other over-sized projects to
which I seem to be committed :) but these are hopefully interesting to
those of you interested in secure operating systems--IDS appears to be a
fairly hot topic, and providing hooks to ease the development of portable
IDS tools is clearly advantageous to those of us in the free software and
UNIX communities.

  Robert N Watson 

robert at    
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University  
TIS Labs at Network Associates, Inc.
Safeport Network Services   

To Unsubscribe: send mail to majordomo at
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list