forked from openbsm/bsmtrace
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
94 lines (66 loc) · 2.73 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
BSMtrace 1.0
Introduction
BSMtrace is a utility that processes audit trails, or real-time audit feeds
provided by audit pipes. It loads a set of finite state machines or sequences
from the supplied configuration file and watches the audit streams for instances
of these sequences. For more information, the example bsmtrace.conf file should
be reviewed.
The underlying premise behind bsmtrace is that the user can specify sequences of
events that are common after or during system compromise. These might include
things like:
- A subject having 50 failed, then one successful login over the course of a
week. Something you might expect to find during an SSH brute force.
- User "nobody" creating files outside of /usr/local/www
- User "nobody" executing administrative utilities, or utilities like id(1)
to determine which level of privilege has been acquired
- Detect the execution of common shellcode where certain sequences don't
normally appear, for example, the typical execution pattern of bind when it
services a DNS request might be:
[1] recvmsg(2)
[2] sendmsg(2)
[1] recvmsg(2)
[2] sendmsg(2)
.
.
.
When the return address of the stack is over-written during a buffer overflow
attack, the execution pattern of the process will change, resulting in the
execution of system calls outside it's regular sequence:
[1] recvmsg
o buffer overflow is exploited, and now the execution pattern might look
something like this:
[2] socket
[3] bind
[4] listen
[5] accept
[6] dup2
[7] exec
- Users or groups of users executing utilities, looking at (or attempting) files
they shouldn't be.
Because bsmtrace acquires it's information from the audit stream, we can be
reasonably certain that we can trust the data. Unlike syslog, the BSM audit
framework targets Commmon Criteria (CC) requirements, to help ensure that the
audit trail is robust, protected and maintains high levels of integrity.
For more information on the security auditing framework see:
http://www.TrustedBSD.org/
A complete EBNF specification (bsmtrace.ebnf) for the policy configuration
engine has been included with this source code archive.
Building
Currently, we BSMtrace is built using a basic Makefile. As more platforms are
supported, this might change.
make
To install:
make install
Credits
The following organizations and individuals have contributed substantially to
the development of BSMtrace (in alphabetical order):
Aaron L. Meihm
Christian S.J. Peron
Seccuris Labs
The following people have contributed to the project with the contribution
noted:
Mak Kolybabi (EBNF specification, PCRE for pathnames, man pages)
Bugs
Please report any bugs or comments to: