audit 1.6.7 questions

[Steve Grubb]

On Wednesday 06 February 2008 17:04:12 Steve Grubb wrote:
> > Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
> > not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
>
> That one is still TBD. I needed the define in libaudit.h so I could use it
> later. I have to patch a few user space utilities to send the event.

It occurred to me that I didn't fully answer this. The plugin right now is 
intended to be a usable proof of concept test. I only wanted to cover 
the "easy" ones. The other anomaly events would be covered in future versions 
of the plugin, but they generally require some work to get functioning. At 
this point, I'm interested in feedback and maybe some ideas about what kinds 
of alerts people might be interested in.

One thing I ran into writing my plugins is that I think IDMEF is really more 
suited to NIDS rather than HIDS. I have been discussing this with the prelude 
developers and will write up my findings later. To really do a good job, I 
think the standard needs to change a little.

For example, when you get an AVC, you need to see the syscall record in order 
to decide what the impact really is. Without the syscall record, you don't 
know if the system was in permissive mode at the time if the syscall. So you 
cannot conclude whether they succeeded or failed. The IDMEF standard has no 
way to say the result was indeterminate.

So, it may take a while to get this plugin exactly the way I want since it may 
take some standards work to be able to express all the information that an 
audit system has available.

-Steve