Re: [PEN-TEST] Audit package

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Hiromi

I saw your mail on the pen-test list but I'm not absolutely sure what it is
you need.

A Sun Basic Security Module (BSM) page is at
http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/7906?Ab2Lang=C&Ab2Enc=
iso-8859-1 there is a guide to audit trail analysis

with tools at
http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/idmatch(CH3TRAIL-18308
)#CH3TRAIL-18308?Ab2Lang=C&Ab2Enc=iso-8859-1

The USAF sponsored Linux equivalent is at
http://www.netsq.com/Research/LinuxAudit/index.php3
there are loads of links there

Have you seen the Linux BSM site http://linuxbsm.sourceforge.net/

if you need more info let me know

Andy
http://www.networkintrusion.co.uk/ The IDS List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Hiromi Yanaoka" <yanaoka () LAC CO JP>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, September 29, 2000 5:58 PM
Subject: Re: [PEN-TEST] Audit package


>    "Re: [PEN-TEST] Audit package"
>    "Talisker <Talisker () NETWORKINTRUSION CO UK>" wrote:
>
> > Theres a description on each and links to the vendor sites on my site
below
> > http://www.networkintrusion.co.uk/ The IDS List
>
> I have checked this well-summarized page of IDS List.
>
> My search focus for IDS is which HIDS applies BSM on Solaris.
> I understand that BSM is a powerful way of detecting and tracing
> intrusions on the host-base.  Yet, it is not widely known for lack
> of good documentation.
>
> You can also find a list of HIDS from:
> http://www.securityfocus.com/templates/tools_category.html?
> category=17&platform=&path=[%20intrusion%20detection%20][%20host%20]
>
> In addition, there are some good papers such as
> http://www.securityfocus.com/focus/ids/articles/idsbsm.html
> http://www.ce.chalmers.se/staff/sax/unix-sec-log.pdf
> and others...
>
> Since BSM keeps logs at a very low level(system call level) and
> provides details on what actually an intruder did, BSM is a
> nice tool for forensic cases as well.  Yet, this means also you
> end up with huge logs which are incomprehensible and unreasonable
> to trace with human beings' eyes.  Therefore, there is no use unless
> there is a system which interprets to the human readable as the
> paper above points out you need some kind of scripts or something
> to make BSM more useful.  Although BSM includes some utilities
> their features are limited.  If you want to *analyze* logs, it needs
> something else.
>
> So, my question leads to which ones are the one that are making BSM
> more useful.  Please forgive me if my question overlaps some of
> the threads from IDS ML and if this is unrelated for this ML.
>
> > From what I have found out so far, those using BSM are as follows
> (from Talisker's post):
>
> > EMERALD eXpert-BSM
> > RealSecure Agent  auditGUARD
>
> #Since my due for the search is coming up, I have decided to
> #throw a question here.
>
>
> Thanx.
>
> Ciao
>
> --Hiromi