InterSect Alliance says it has developed the first C2-style auditing and event logging subsystem for Linux, called System iNtrusion Analysis and Reporting Environment or SNARE. The source code and binaries for SNARE are freely available at the Intersect Alliance Web site.
According to the U.S. National Security Agency, even that government agency's ultra secure Linux distribution, SELinux "doesn't address important ... features such as security auditing," which is the basic function of SNARE. NSA says it hopes to leverage the work of others when it comes to adding an auditing module to SELinux in the future.
InterSect Alliance director Leigh Purdie and his partner George Cora queried the NSA early on in the development of SNARE, says Purdie. "At that stage they were concentrating on the core SELinux features. We'll probably be contacting them on the mailing list and suggesting some form of integration."
But Purdie has his sights set on bigger things for SNARE. "Although it's not something that every Linux user will take advantage of, auditing is used pretty widely on servers," he says, and that means SNARE could end up included in some major distributions like Red Hat, SuSE, and Mandrake.
And SNARE will not add to kernel bloat because it is dynamically loadable in a module format. "It doesn't have to be built into the kernel, for those users who aren't interested in auditing," says Purdie.
One of the key selling points for SNARE's adoption is the belief that lack of auditing and event logging has kept many businesses from adopting the Linux OS until now. "The lack of such security functionality, and the fact that it exists in commercial operating system rivals such as Windows NT and Solaris, has been reported as a significant reason why organisations and government departments have been reticent in taking up Linux, despite the significant cost savings that would otherwise have resulted," according to a press release announcing SNARE's availability.
Purdie feels confident that many companies and even the U.S. government will regard this as the final hurdle to moving away from IIS and towards Linux adoption. "We've ... performed a bit of research within our core consultancy customers, and several of them have identified auditing as a critical changeover factor," he says.
How does SNARE work?
SNARE is different from network-based signature analysis tools that run tabs on port scanners. Because it is host-based, it keeps an eye on internal processes to ensure a secure environment. Purdie shared this illustrative analogy:
"Network 'signature-based' intrusion detection is a little like posting a
guard outside the bank, and giving them pictures of all the known crooks
in the world. He scans the faces of the people walking past, and if he
sees a known crook, he signals an alarm.
"Host-based intrusion detection is like someone watching the gold bars in
the vault to make sure they're still there."
Purdie says that an auditing subsystem will tell the sysadmin when someone attempts to read the authentication database, or when someone successfully SU's to root, and will sound a critical alert if anyone deletes anything in /etc.
"George and I have a tradition of playing tricks on each others' computer systems -- just to keep ourselves sharp," says Purdie, "and I can tell you, having SNARE installed on our systems has made it a bit more difficult to get away with things."