Is this list dead

Robert Watson robert at cyrus.watson.org
Thu Sep 16 12:44:39 GMT 1999 

On Thu, 16 Sep 1999, Ilmar S. Habibulin wrote:

> Subj. 

Well, it's acting a little dead, but my hope is that it will not stay that
way indefinitely.  My work on an auditing implementation has been stalled
for the last couple of months due to travel and work, but I hope to
release a substantially updated and improved version in the next month.
We're been redesigning how the record gathering mechanism is integrated
into FreeBSD, as there are parallel trace mechanisms (such as ktrace) that
serve a similar function.

I'm interested in the possibility of pinning down an IDS module
interface--i.e., a standard API by which IDS modules can talk to a
provider of audit records, specifying what they are interested in so as to
make detecting events more efficient.  This would presumably include
functions to describe interesting records, functions to retrieve the
records when available, and functions to report events via some
event-reporting architecture.

This all raises the usual question--how powerful an automatic filtering
mechanism should there be?  Reducing the flow of records early (since many
are per-syscall) is important, but you don't want to miss anything, nor
have too complicated a filter which in turn slows things down.  Presumably
what I need to help determine this are some figures on record delivery
rates, as well as the processing rates for various components of the
system.

One set of events that POSIX.1e doesn't describe is signals--which I think
may be something we want to add.  For example, the following IDS module
might be useful:

	alert if process "imapd" receives "sigsegv"

Or the like.  The usual causes of sigsegv's in network daemons are the
unfortunate ones--accidental or otherwise.  Similarly, on platforms that
support terminating processes that exceed resource limits, it might be
useful.

Another useful IDS module that comes to mind on many platforms:

	alert if process "imapd" executes "/bin/sh"

Needless to say, this is not actually the language I'm currently working
with--my language is more oriented around the record structure defined in
.1e, but you get the gyst.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list