View Single Post
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

So far I really like the Security Event Auditing. The FreeBSD Handbook showed something similar to what I wanted.

Code:
root:lo,+ex:no
www:fc,+ex:no
The last line logs files created and files executed by the www user. Pretty cool.

I also found BSMtrace, which is basically a context based HIDS, which uses those audit trails. Here's some of the things it can do.
Quote:
- A subject having 50 failed, then one successful login over the course of
a week. Something you might expect to find during an SSH brute force.

- User "nobody" creating files outside of /usr/local/www

- User "nobody" executing administrative utilities, or utilities like id(1)
to determine which level of privilege has been acquired


- Detect the execution of common shellcode where certain sequences don't
normally appear, for example, the typical execution pattern of bind
when it services a DNS request might be:
[1] recvmsg
o buffer overflow is exploited, and now the execution pattern
might look something like this:
[2] socket
[3] bind
[4] listen
[5] accept
[6] dup2
[7] exec

- Users or groups of users executing utilities, looking at (or attempting)
files they shouldn't be.
That's pretty much identical to what I was looking for. Anyone here have experience with BSMtrace?
Reply With Quote