Re: Product: Intruder Alert (ITA)
Steve Smaha (Smaha@DOCKMASTER.NCSC.MIL)
Tue, 19 Sep 95 18:59 EDT
Re: OmniGuard/ITA
Please check into the actual data sources used by this software product.
Unless their technical folks and manuals are mistaken, ITA is using
syslog, utmp, Unix process accounting information, and possibly sulog
info, and it does NOT use the operating system ("C2") audit trails.
This has certain implications. The accounting log (and other sources
listed) know nothing about objects (files) that are manipulated by
processes. The accounting log refers to processes only by their final
pathname component (not a full pathname). The identity attached to a
process execution is the current effective uid, not the login uid
(sometimes called the "audit uid"), so you can't really tell who ran the
logged process.
You could, of course, replace all the vendor binaries with modified ones
that cause events to be written to syslog. But that would be a REAL
security problem. (Or you could bite the bullet and look at the OS
audit trails, which are TOTALLY non-standard across vendors.)
Their data sources could be used to implement a "three failed logins and
you're toast" alarm, or to note someone ran a process called "crack".
But it wouldn't tell you if fred renamed the crack binary to be called
"/home/fred/vi", then ran it. And it wouldn't tell you if fred used the
loadmodule hack to become root. And it wouldn't tell you if you've been
had again by sendmail. (Just that sendmail ran. Maybe.)
It is worth asking what kinds of things you want detected, then what
events need to be collected to enable that detection, then what data
sources collect those events.
Steve Smaha
Haystack Labs, Inc., 10713 RR 620N, Suite 521, Austin, TX 78726
512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil