SEO

Hi,

while searching for new Ideas for my kernel ids 'FUPIDS'[1] I posted in
12/2003, I found a interesting kernel IDS called 'SID'[2] for linux and
solaris.

SID is a pseudo terminal IDS that creates SHA1 values of terminal commands.
This values will be logged. A user space programm reads this logs and
compares the included values with "bad" values.

For example if 3a3a3a3a3a would be the hash for 'cd /root' and the
userspace tool would find this string in the log file, a intrusion is
detected.

You can also define an action for an intrusion what can be something like
a shellscript killing all the processes of an user.

I currently thinking about an OpenBSD implementation of such an kernel-ids
including the improvement that whitespaces will be ignored. That will be
better because

cd /root
cd/root
cd /root

would generate the same hash value.

but ehm ...

If the admin has to specify rules for lots of "bad" commands, he has to
do a lot of work. If he forgets an important rule, the intrusion will not
be detected. This could be solved using default shipped rules.

Is there any interesst for such an implementation? I ask this because I
would write the kernel code as a patch instead of a LKM in that case,
what would be easier but possibly more version dependend.

-steffen


[1] http://www.doomed-reality.org/site/p...ids/index.html
[2] http://sid.sourceforge.net

--
web: http://cdp.doomed-reality.org
mail: cdp_xe [at] gmx [dot] net