File and folder access auditing, how?
Hello! Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? If so, how would one do that? I have some sensitive information now on SuSE 9.2 (that might be updated to 10.X) and I'm looking for something similar to what I had in Windows. I want to have a log somewhere that would indicate who has used or tried to use the sensitive information. -- HG.
On Thu, Feb 02, 2006 at 11:34:10AM +0200, HG wrote:
Hello!
Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? If so, how would one do that?
I have some sensitive information now on SuSE 9.2 (that might be updated to 10.X) and I'm looking for something similar to what I had in Windows. I want to have a log somewhere that would indicate who has used or tried to use the sensitive information.
10.0 has the beginnings of the upstream audit system, in the "audit" package, 10.1 has a bit further developed one. I am not sure it can audit to the full extend you need. 9.1 / SLES 9 has a EAL4+/CAPP capable audit system doing all you might want ... For 10.1 / SLES 10 this is planned too. (Look for "audit watches".) Ciao, Marcus
Hi!
On 2/2/06, Marcus Meissner
On Thu, Feb 02, 2006 at 11:34:10AM +0200, HG wrote:
Hello!
Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? If so, how would one do that?
I have some sensitive information now on SuSE 9.2 (that might be updated to 10.X) and I'm looking for something similar to what I had in Windows. I want to have a log somewhere that would indicate who has used or tried to use the sensitive information.
10.0 has the beginnings of the upstream audit system, in the "audit" package, 10.1 has a bit further developed one.
I have 10.0 installed on home computer, so I will have to take a look. But I take it that 9.2 doesn't have anything? Perhaps a different thing, but I just heard from another source that I should look at SELinux... is that included with Pro 9.2 or the latter? And does that somehow relate to file access auditing?
I am not sure it can audit to the full extend you need.
I'm not looking into very complex auditing. Almost any auditing would be enough. It's more of something that needs to be implemented than something that is crusial (currently I trust the users and the access rights :-). But I do need to have some auditing on the file level too.
9.1 / SLES 9 has a EAL4+/CAPP capable audit system doing all you might want ... For 10.1 / SLES 10 this is planned too.
Unfortunately we are running the Pro 9.2 and are looking to upgrading to 10.X (probably wait for the 10.1). I do not think we are going for SLES... rather we might go for the OSS. Although, if no auditing can be done there, then I will propose SLES. It's just that we are used to the Pro and how it works and all that... I do not think we want to change.
(Look for "audit watches".)
I will. -- HG.
HG wrote:
Perhaps a different thing, but I just heard from another source that I should look at SELinux... is that included with Pro 9.2 or the latter? And does that somehow relate to file access auditing?
9.2 had some bits and pieces of SELinux in it, but never really fully supported it. With 10.0 onward, we have completely removed SELinux, and replaced it with AppArmor http://www.opensuse.org/Apparmor which is much easier to use than SELinux. AppArmor and SELinux are access control systems, which are kinda related to audit systems, but not exactly the same: * Audit systems need to record lots of data, and access control systems don't always have all that data to hand. * Access control systems need to figure out what is being requested early enough to stop it from happening, while audit systems can just note that it happened, even after the fact. So whether to blend an access control system with an audit system is something of an architectural question we are still working on.
9.1 / SLES 9 has a EAL4+/CAPP capable audit system doing all you might want ... For 10.1 / SLES 10 this is planned too.
Unfortunately we are running the Pro 9.2 and are looking to upgrading to 10.X (probably wait for the 10.1). I do not think we are going for SLES... rather we might go for the OSS. AppArmor is included in SL10.0, SL10.1, and SLES9SP3. I'm less sure of where the audit systems are included, but I would suspect all of them.
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption
Hello!
On 2/4/06, Crispin Cowan
HG wrote:
Perhaps a different thing, but I just heard from another source that I should look at SELinux... is that included with Pro 9.2 or the latter? And does that somehow relate to file access auditing?
9.2 had some bits and pieces of SELinux in it, but never really fully supported it.
Ok, then I think I won't even try it now as I antissipate move the 10.X.
With 10.0 onward, we have completely removed SELinux, and replaced it
No wonder I didn't find anything about from my home computer...
AppArmor and SELinux are access control systems, which are kinda related to audit systems, but not exactly the same:
I know.
So whether to blend an access control system with an audit system is something of an architectural question we are still working on.
I hope you can find something on that - many corporate security policies require file auditing and currently it seems that linux doesn't provide tools for this.
AppArmor is included in SL10.0, SL10.1, and SLES9SP3. I'm less sure of where the audit systems are included, but I would suspect all of them.
I tried AppArmour briefly on SUSE 10.0, but I really didn't get much out of it. I thought that it was somehow cripled... How about the future (of AppArmour and auditing) on the OSS version? Or even the freely available SUSE (what used to be the Professional)? -- HG.
Hi!
On 2/2/06, Marcus Meissner
Hello!
Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? [snip] 10.0 has the beginnings of the upstream audit system, in the "audit"
On Thu, Feb 02, 2006 at 11:34:10AM +0200, HG wrote: package, 10.1 has a bit further developed one.
Just to clarify, you probably mean the boxed 10.0 from Novell? I can not find audit package from my home computer (my learning bench) that runs the freely downloaded 10.0 (DVD). Nor does the search function give anything meaningfull with audit or watches. -- HG.
On Wed, Feb 08, 2006 at 06:14:46PM +0200, HG wrote:
Hi!
On 2/2/06, Marcus Meissner
wrote: Hello!
Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? [snip] 10.0 has the beginnings of the upstream audit system, in the "audit"
On Thu, Feb 02, 2006 at 11:34:10AM +0200, HG wrote: package, 10.1 has a bit further developed one.
Just to clarify, you probably mean the boxed 10.0 from Novell? I can not find audit package from my home computer (my learning bench) that runs the freely downloaded 10.0 (DVD). Nor does the search function give anything meaningfull with audit or watches.
The audit.rpm should be on the retail DVD (and on the etxras source). Ciao, Marcus
On Thu, Feb 02, 2006 at 11:34:10AM +0200, HG wrote:
Hello!
Hello.
Is it possible to set up file and folder access auditing on SuSE 9.2 or later (10.0)? If so, how would one do that?
I have some sensitive information now on SuSE 9.2 (that might be updated to 10.X) and I'm looking for something similar to what I had in Windows. I want to have a log somewhere that would indicate who has used or tried to use the sensitive information.
SLES8 (+SP) and SLES9 are CAPP EAL certified and provide the Linux Audit Subsystem (LAuS). This system can be used monitor file access. The LAuS also runs on SL 8.1 and 9.1 and is available as source from ftp://ftp.suse.com/pub/projects/security/laus/ . In SL 10.0 we have the Lightweight Audit Framework (LAF) from kernel mainline code. It is not as complete as LAuS and the "watches" (monitor filesystem objects) only exist in the documentation, unfortunately.
-- HG.
--
Bye,
Thomas
--
Thomas Biege
participants (4)
-
Crispin Cowan
-
HG
-
Marcus Meissner
-
Thomas Biege