The main purpose of this work is to present a systematic solutions to the persistent problems of securing and improving the Audit and Logging capabilities.
Moreover, we will present a collection of suites to perform Intruder Detection and a proposal to protect the system against Buffer Overflow Attacks. Covert Storage Channel Analisys is currently under study.
The basic problem is that, in a root compromise case, all audit data can be deleted or altered, trashing the collected informations even if they respect the TCSEC requirements.
An important question is: does anybody have the time to inspect hundreds of lines generated by Audit/Logging system? We provide a collection of utilities that analyze in real time such data and take the least disruptive action to terminate the event that may corrupt the system integrity.
In doing so we will try to meet Dision B, Class 3 TCSEC requirements.
Section 2 decribes the state of the art in Linux about Audit and Logging, the typical attacks against the integrity and security of the system and what are the TCSEC requirements in detail.
Section 3 shows how Piranha Audit helps system administrators to detect what has happened and how Intruder Detection System defends against some more dangerous attacks. Kernel patches applied and a quick description of the suite of user utilities will be also provided.
Section 4 presents performance and penetration testing. Section 5 describes related works. Finally section 6 presents our conclusions.