I am disappointed. Have you ever tried to audit your linux system? Well, have you tried to get syslog events for password changes? Why would linux not log an event like that? You have to go and mess with the PAM configuration of you system. And I don’t think it’s straight forward to actually get the user management sub-system to log audit events. I want to know when someone changes his password or a user account is disabled! I guess part of the problem is that you can always go to the configuration files (/etc/passwd) and just change the entries yourself, but you know, we are in 2006, you would thing someone has figured out how to audit these things. Have I already mentioned that I am disappointed? And don’t misunderstand me. I love Linux, but still.
One solution that VanHauser recommended was LAUS. An auditing subsystem which was initially developed for SUSE. A port for Redhat exists also. Since I switched to Ubuntu, I tried an apt-get install laus. No luck. Too bad.
Maybe I am just missing something and there is a solution to the audit log shortcomings of Linux?
Linux / Unix Audit Logs
Snort 2.6 Book
It’s done. I was working on writing a chapter for the new Snort book. I got the chapter on data analysis assigned. These things take time. It was fun writing it though. It forced me to look into some tools that are quite interesting. OpenSIMs and OSSIM are two of them. They are not quite as mature as I was hoping they would be. Well, somehow I guess I knew they wouldn’t be. They are great starting points for a SIM though. Maybe they should just combine the two projects.
Another project that I found was interesting is SEC. The Simple Event Correlator. I have looked at this tool before, but this time I have to say, I am quite impressed. The correlation capabilities are quite interesting. There is one huge problem, which is that you have to define the matching log entry for every rule. This just doesn’t scale. You need to have a normalization module first and then you apply the correlation on the normalized data. And by normalized I mean parsed and categorized! And that’s one of the other huge problems: Categorization is not standardized and it takes a huge amount of work to do it yourself. Believe me, I know what it means to categorize. We have a database of aobut 150.000 events that we categorized…
Anyways. The chapter is written and hopefully I can spend some more time again on the other writing projects I have lined up. But first it’s going to be travel and conference month! BlackHat is close!