Snare, SELinux, NISPOM

[Leigh Purdie]

G'day Tom, (All: Info)

That seems like a pretty accurate summary right at the moment.
We have quite a few people contacting us who use Snare for NISPOM - have
a peek at the Snare support page on sourceforge for some hints on a
NISPOM-targeted configuration, or drop me an email for more info. There
is apparently also a custom DISA-approved version of Snare available -
you may want to contact DISA for assistance.

Although we're just about to bring out Snare 0.9.7, I'm pretty hopeful
that this version will be the last that actually needs kernel components
- with a little luck, we'll be able to shift the Snare daemon, GUI and
micro-web server over to use the native logging subsystem sometime
during (or after) FC3, based on the fantastic progress that has been
recently made on the linux-audit list.

So pre-fc3, I suspect that Snare's your best bet - but you may want to
have a look at SuSE Enterprise, or RHEL3, which both incorporate Olaf
Kirch's excellent audit environment + daemon. Note that if you're an SGI
client, you may want to look at their distribution of Linux - which
currently includes Snare from what I understand.

Once things have stabilised, hopefully distributions post-fc3 should be
able to cover a fair majority of NISPOM requirements natively, without
any need to recompile kernels, or install much in the way of extra
packages.

Regards,

Leigh.

On Tue, 2004-12-21 at 09:17 -0600, Browder, Tom wrote:
> OK, given the current state of things, is anyone satisfying NISPOM
> auditing requirements on Linux?  If so, what are you using for auditing
> (Linux distribution, add-ons, kernel)?
> 
> The best I can figure in the short term (right out of the box) is FC 2
> and snare 096b with the UT kernel rpms: 2.6.7-1.494.2.2SNARE096b
> 
> Any better ideas would be appreciated.
> 
> Thanks.
> 
> Tom Browder
-- 
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/