[Snare-devel] Re: SELinux, LSM, SNARE ...

[M. Fecina]

Thanks, Leigh, for shedding some light on the situation.
I knew that 0.9.7 hoped to be the last version of SNARE
with its own kernel hooks, but I just wasn't sure exactly what I can do 
with the auditing capability in the 2.6 tree as of now.

BTW, my patch for the 2.6 kernel tree has changed a bit, if you want a 
copy, let me know.  One thing I can't seem to get rid of though, is when 
the auditd opens /proc/snare, it closes it shortly thereafter with an 
illegal seek (errno 29).  Any ideas?  Seems like the kernel isn't 
putting in the first header or something for the userspace daemon to 
grab ...

Thanks,
Mike
Leigh Purdie wrote:
> Mike,
> 
> I can probably answer parts of your email. :)
> 
> We're hoping that Snare 0.9.7 will be the last one that actually
> requires it's own custom kernel-level changes.
> 
> With a little luck, the next version of Snare will piggy-back on the
> kernel changes you're seeing on the linux-audit list, providing some
> extra capabilities & a nice user interface.
> 
> If Snare's extra features prove to be useful to a fair number of people,
> then they may be rolled into the mainstream daemon at some point in the
> future.
> 
> The current snare package (kernel + daemon + gui) probably has a role to
> play in the next 12-18 months, until the key distributions integrate the
> stable auditing code and start to become widespread, but the kernel side
> of Snare should be considered to be in 'maintenance mode' only. The
> daemon & gui will continue, and we'll try to preserve your existing
> config as much as possible under the new kernel infrastructure.
> 
> So where to spend your time? Up to you obviously, but probably Snare for
> older distributions (particularly 2.4 based), and the new audit
> subsystem for any distributions that come out 3-6 months from now.
> Hopefully Snare will help you ease the transition to the new code by
> providing a familiar interface.
> 
> Leigh.
> 
> On Fri, 2005-02-11 at 13:23 -0500, M. Fecina wrote:
> 
>>All,
>>
>>I've been a lurking member of the SNARE development list
>>and this list for quite some time.  My place of employment
>>has need to meet NISPOM CH.8 requirements on Linux systems.
>>Thus far, we've been using Leigh's SNARE 0.9.7 audit daemon
>>with the necessary kernel patches.
>>
>>However, with all of the patches and progress being made
>>on SELinux, I'm wondering what the comparison is between
>>SNARE and SELinux.  I know SELinux is built-in to the 2.6
>>kernel tree, and in conjunction with some userspace daemons (auditd),
>>it can provide audit trails.
>>
>>Can anyone on this list tell me their thoughts on using SELinux
>>to meet all the functionality that SNARE has (minus the front-end GUI)
>>and to meet NISPOM ch.8 requirements?  What do I need to get SELinux to
>>provide a similar implementation as SNARE?  Is there *one* place where
>>all of the patches everyone has made on this list are rolled into?
>>
>>I'd like to know where I should be spending my time -- SNARE or SELinux.
>>
>>Thanks,
>>M. Fecina
>>