| 1 |
Hardened Team, Zhen |
| 2 |
|
| 3 |
Here are some updates (by Rieck) to the SAL project that need some |
| 4 |
testing... I am in the middle of updating the sources on |
| 5 |
secureaudit.sf.net |
| 6 |
|
| 7 |
let me know how things go... |
| 8 |
|
| 9 |
Javier Godinez |
| 10 |
|
| 11 |
-----Original Message----- |
| 12 |
From: Konrad Rieck |
| 13 |
Sent: Wednesday, October 15, 2003 2:38 PM |
| 14 |
To: Godinez, Javier SPAWAR |
| 15 |
Subject: RE: Security Flaws in SAL (2nd mail) |
| 16 |
|
| 17 |
|
| 18 |
Hi Javier, |
| 19 |
|
| 20 |
On Wed, 2003-10-15 at 17:20, Godinez, Javier SPAWAR wrote: |
| 21 |
> audit.c was not attached would you please resend it? |
| 22 |
> can you send a patch for the other changes too? |
| 23 |
|
| 24 |
Attached is my current version of audit.c, a manually modified entry.S |
| 25 |
that allows logging exit() syscalls and two rather large and blurred |
| 26 |
patches for the SAL client and server. |
| 27 |
|
| 28 |
I must admit that most changes have been made to integrate SAL into my |
| 29 |
research IDS and thus SAL's initial focus might have been lost in some |
| 30 |
parts. |
| 31 |
|
| 32 |
What I did: |
| 33 |
|
| 34 |
- A security check has been added to sys_audit() allowing only |
| 35 |
the super-user to retrieve the collection buffers |
| 36 |
|
| 37 |
- The kernel part has been extend to audit absolute pathnames instead |
| 38 |
of just the relative command. Changes inside the syscall struct |
| 39 |
were necessary, e.g. increasing the comm[] field's size. |
| 40 |
|
| 41 |
- The entry.S file has been manually patched to support auditing |
| 42 |
the exit() syscall. exit() doesn't return on Linux, that's why |
| 43 |
the original SAL version didn't catch it. |
| 44 |
|
| 45 |
- The SAL server and client store files using zlib(1). Compression |
| 46 |
strength can be specified at command line or via the XML |
| 47 |
configuration file. Strength ranges from 0 to 9, where 0 represents |
| 48 |
no compression. Up to 90% of disk space is saved. |
| 49 |
|
| 50 |
- The SAL server and client communicate using proprietary SSL |
| 51 |
compression if available. Network load is reduced. |
| 52 |
|
| 53 |
- The kernel part has been equipped with synchronisation (spinlock) |
| 54 |
to work on SMP machines. I have finished this patch today, that's |
| 55 |
why I can't tell if it is now stable. I will test it the next |
| 56 |
days. |
| 57 |
|
| 58 |
|
| 59 |
> Also, did you try the patch with the newest kernel? |
| 60 |
|
| 61 |
I have successfully patched several different 2.4.x kernels. |
| 62 |
|
| 63 |
Only two kernels could not automatically be patched. Preprocessor |
| 64 |
directives in entry.S fooled the algorithm for finding the next free |
| 65 |
syscall slot. |
| 66 |
|
| 67 |
Regards, |
| 68 |
Konrad |
| 69 |
|
| 70 |
- |
Archives