1 |
Forgot the client patch, here it is... |
2 |
|
3 |
-----Original Message----- |
4 |
From: Godinez, Javier SPAWAR |
5 |
Sent: Tuesday, October 21, 2003 9:08 AM |
6 |
To: gentoo-hardened@g.o |
7 |
Subject: [gentoo-hardened] FW: Security Flaws in SAL (2nd mail) |
8 |
|
9 |
|
10 |
Hardened Team, Zhen |
11 |
|
12 |
Here are some updates (by Rieck) to the SAL project that need some |
13 |
testing... I am in the middle of updating the sources on |
14 |
secureaudit.sf.net |
15 |
|
16 |
let me know how things go... |
17 |
|
18 |
Javier Godinez |
19 |
|
20 |
-----Original Message----- |
21 |
From: Konrad Rieck |
22 |
Sent: Wednesday, October 15, 2003 2:38 PM |
23 |
To: Godinez, Javier SPAWAR |
24 |
Subject: RE: Security Flaws in SAL (2nd mail) |
25 |
|
26 |
|
27 |
Hi Javier, |
28 |
|
29 |
On Wed, 2003-10-15 at 17:20, Godinez, Javier SPAWAR wrote: |
30 |
> audit.c was not attached would you please resend it? |
31 |
> can you send a patch for the other changes too? |
32 |
|
33 |
Attached is my current version of audit.c, a manually modified entry.S |
34 |
that allows logging exit() syscalls and two rather large and blurred |
35 |
patches for the SAL client and server. |
36 |
|
37 |
I must admit that most changes have been made to integrate SAL into my |
38 |
research IDS and thus SAL's initial focus might have been lost in some |
39 |
parts. |
40 |
|
41 |
What I did: |
42 |
|
43 |
- A security check has been added to sys_audit() allowing only |
44 |
the super-user to retrieve the collection buffers |
45 |
|
46 |
- The kernel part has been extend to audit absolute pathnames instead |
47 |
of just the relative command. Changes inside the syscall struct |
48 |
were necessary, e.g. increasing the comm[] field's size. |
49 |
|
50 |
- The entry.S file has been manually patched to support auditing |
51 |
the exit() syscall. exit() doesn't return on Linux, that's why |
52 |
the original SAL version didn't catch it. |
53 |
|
54 |
- The SAL server and client store files using zlib(1). Compression |
55 |
strength can be specified at command line or via the XML |
56 |
configuration file. Strength ranges from 0 to 9, where 0 represents |
57 |
no compression. Up to 90% of disk space is saved. |
58 |
|
59 |
- The SAL server and client communicate using proprietary SSL |
60 |
compression if available. Network load is reduced. |
61 |
|
62 |
- The kernel part has been equipped with synchronisation (spinlock) |
63 |
to work on SMP machines. I have finished this patch today, that's |
64 |
why I can't tell if it is now stable. I will test it the next |
65 |
days. |
66 |
|
67 |
|
68 |
> Also, did you try the patch with the newest kernel? |
69 |
|
70 |
I have successfully patched several different 2.4.x kernels. |
71 |
|
72 |
Only two kernels could not automatically be patched. Preprocessor |
73 |
directives in entry.S fooled the algorithm for finding the next free |
74 |
syscall slot. |
75 |
|
76 |
Regards, |
77 |
Konrad |
78 |
|
79 |
- |