1 |
Hardened Team, Zhen |
2 |
|
3 |
Here are some updates (by Rieck) to the SAL project that need some |
4 |
testing... I am in the middle of updating the sources on |
5 |
secureaudit.sf.net |
6 |
|
7 |
let me know how things go... |
8 |
|
9 |
Javier Godinez |
10 |
|
11 |
-----Original Message----- |
12 |
From: Konrad Rieck |
13 |
Sent: Wednesday, October 15, 2003 2:38 PM |
14 |
To: Godinez, Javier SPAWAR |
15 |
Subject: RE: Security Flaws in SAL (2nd mail) |
16 |
|
17 |
|
18 |
Hi Javier, |
19 |
|
20 |
On Wed, 2003-10-15 at 17:20, Godinez, Javier SPAWAR wrote: |
21 |
> audit.c was not attached would you please resend it? |
22 |
> can you send a patch for the other changes too? |
23 |
|
24 |
Attached is my current version of audit.c, a manually modified entry.S |
25 |
that allows logging exit() syscalls and two rather large and blurred |
26 |
patches for the SAL client and server. |
27 |
|
28 |
I must admit that most changes have been made to integrate SAL into my |
29 |
research IDS and thus SAL's initial focus might have been lost in some |
30 |
parts. |
31 |
|
32 |
What I did: |
33 |
|
34 |
- A security check has been added to sys_audit() allowing only |
35 |
the super-user to retrieve the collection buffers |
36 |
|
37 |
- The kernel part has been extend to audit absolute pathnames instead |
38 |
of just the relative command. Changes inside the syscall struct |
39 |
were necessary, e.g. increasing the comm[] field's size. |
40 |
|
41 |
- The entry.S file has been manually patched to support auditing |
42 |
the exit() syscall. exit() doesn't return on Linux, that's why |
43 |
the original SAL version didn't catch it. |
44 |
|
45 |
- The SAL server and client store files using zlib(1). Compression |
46 |
strength can be specified at command line or via the XML |
47 |
configuration file. Strength ranges from 0 to 9, where 0 represents |
48 |
no compression. Up to 90% of disk space is saved. |
49 |
|
50 |
- The SAL server and client communicate using proprietary SSL |
51 |
compression if available. Network load is reduced. |
52 |
|
53 |
- The kernel part has been equipped with synchronisation (spinlock) |
54 |
to work on SMP machines. I have finished this patch today, that's |
55 |
why I can't tell if it is now stable. I will test it the next |
56 |
days. |
57 |
|
58 |
|
59 |
> Also, did you try the patch with the newest kernel? |
60 |
|
61 |
I have successfully patched several different 2.4.x kernels. |
62 |
|
63 |
Only two kernels could not automatically be patched. Preprocessor |
64 |
directives in entry.S fooled the algorithm for finding the next free |
65 |
syscall slot. |
66 |
|
67 |
Regards, |
68 |
Konrad |
69 |
|
70 |
- |