www.Usenet.com
www.Usenet.com
| <-- __Chronological__ --> | <-- __Thread__ --> |
On Mon, 27 Oct 2003 20:45:05 GMT in comp.os.unix, The Boss
<[EMAIL PROTECTED]> wrote:
>I am trying to find a way to record when processes on a Unix/Linux system
>are started and when (i.e. new process ID, parent process ID, spawning
>user,time) as a way of modeling user behavior in order to allow intrusion
>detection. I was thinking of perhaps catching the SIGCHILD signal or
>recording exec system calls. I could probably run this as root, so this
>would probably be a daemon and record these to a logfile for a separate
>analysis routine.
Recording signals or exec calls globally is only possible in the
kernel -- can't see any other approach than changing the kernel
or using builtin auditing features in some kernels. Look for
information on user and process accounting. You might want to
start by looking at what's available in /etc/[wu]tmp{,x} files
for analysis -- man 5 wtmp utmp.
>I am not opposed to roundabout programming, but I would like to do this
>fairly efficiently. I could probably parse out the "/proc" filesystem or
>the output of "/bin/ps", but I think that would make this method of
>collection cause a performance hit in the system.
You are likely to miss events monitoring /proc or using ps.
All monitoring causes a performance hit -- you have to decide on
the tradeoff.
>Does anyone know of any resources related to this or have any idea of how
>to begin? I'd like to keep it in C if possible.
If you're only worried about network intrusions -- start looking
at inetd and existing TCP/IP intrusion detection approaches --
look at the Google directory for Computers > Security > Intrusion
Detection Systems.
In general, avoid reinventing the square wheel by looking at
what's available out there; analyze the threats detected,
responses generated, and how that's achieved by available
packages; do that before trying to design something better, and
having to worry about whether it's implemented in such a way that
it will actually do the job required.
Thanks. Take care, Brian Inglis Calgary, Alberta, Canada
--
[EMAIL PROTECTED] (Brian dot Inglis at SystematicSw dot ab dot ca)
fake address use address above to reply
| <-- __Chronological__ --> | <-- __Thread__ --> |
