Re: Intrusion Detection with CA-Unicenter ?

Jas (matt@uts.edu.au)
Fri, 24 Mar 1995 12:50:36 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: *Hobbit*: "Clarify, please"
Previous message: Brad Powell: "Re: Request for information"
In reply to: MICHAEL S. HINES: "Re: Intrusion Detection with CA-Unicenter ?"

MICHAEL S. HINES wrote this...
> 
> Just the same thing you have... the software salesmans
> presentations. But he maintains you can establish triggers in
> Unicenter and have scripts execute depending upon your requirements
> (dare I say policy). This can include paging the sysop if your
> system has a modem, or whatever else you might desire to do.  It
> seems to all be driven off the entries into the system log.  They do
> their own login control (offering tod, dow, and other types of
> controls above what you get with plain vanilla UNIX) and can hit the
> log with what appears to be intrusions (can set a trigger number).  
> This can be programmed to establish a denial of service (lockout
> until sysadmin resets) or some other action as your policy dictates.
we had a look at it at this uni. we went and had a demonstration, and
i put the "engineer" through the 3rd degree and found out how it does
all this stuff.

basically what it does it this.. it puts hooks in the kernel for most
of your major functions (open,close,creat,exit you get the idea). it
then checks the arguments of these functions against its ACL's (the
ACL's are converted from ascii into binary at boot time, or
modification time). it also puts hooks in most of your major "service"
type binaries (like login,inetd,rpcbind), provides ACL's for these as
well.

problems i saw with this is, a) if you want to reconfigure somethign
on your system to behave differently from plain vanilla you get stuck
:( and b) if you patch your kernel/binaries you run the risk of
somethign breaking, but CA assured me nothing would break if you
patched the system (oh ye of mighty faith).

hope this sheds some light on the matter.

			Matt
-- 
#!/bin/sh
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit
Matthew Keenan   Systems Programmer   Information Technology Division
      University of Technology     Sydney Australia

It's nice to be in a position where people apologize because they
assume there's humor in your work, based on past experience,
but they're not sure where it is. -- Rob Pike

Next message: *Hobbit*: "Clarify, please"
Previous message: Brad Powell: "Re: Request for information"
In reply to: MICHAEL S. HINES: "Re: Intrusion Detection with CA-Unicenter ?"