Browse > Article

LxBSM: Loadable Kernel Module for the Creation of C2 Level Audit Data based on Linux  

전상훈 (엠엠씨테크놀로지 연구원)
최재영 (숭실대학교 컴퓨터학부)
김세환 (티멕스소프트 연구원)
심원태 (한국정보보호진흥원)
Publication Information
Journal of KIISE:Computing Practices and Letters / v.10, no.2, 2004 , pp. 146-155 More about this Journal
Abstract
Currently most of commercial operating systems contain a high-level audit feature to increase their own security level. Linux does not fall behind the other commercial operating systems in performance and stability, but Linux does not have a good audit feature. Linux is required to support a higher security feature than C2 level of the TCSEC in order to be used as a server operating system, which requires the kernel-level audit feature that provides the system call auditing feature and audit event. In this paper, we present LxBSM, which is a kernel module to provide the kernel-level audit features. The audit record format of LxBSM is compatible with that of Sunshield BSM. The LxBSM is implemented as a loadable kernel module, so it has the enhanced usability. It provides the rich audit records including the user-level audit events such as login/logout. It supports both the pipe and file interface for increasing the connectivity between LxBSM and intrusion detection systems (IDS). The performance of LxBSM is compared and evaluated with that of Linux kernel without the audit features. The response time was increased when the system calls were called to create the audit data, such as fork, execve, open, and close. However any other performance degradation was not observed.
Keywords
Linux Security; Security LKM; Kernel Audit System;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 /
[ A.Rubini;J.Corbet ] / Linux Device Driver(2nd ed.)
2 Boran Consulting, IT Security Cookbook - OS Overview, http://www.boran.com/security/it15-os-overview.html, 2000
3 LinuxBSM, http://linuxbsm.sourceforge.net/, 2000
4 Snare, http://www.intersectalliance.com/projects/Snare/, 2001
5 D. P. Bovet, M. Cesati, Understanding The Linux Kernel, O'Reilly, 2001
6 Sun Microsystems, SunShield Basic Security Module Guide, Sun Microsystems, 1998
7 SELinux, http://www.nsa.gov/selinux/, 2001
8 Linux Intrusion Detection System(LIDS), http://www.lids.org/
9 Pragmatic/THC, (nearly) Complete Linux Loadable Kernel Modules, http://www.thehackerschoice.com/papersILKM_HACKING.html, 1999
10 J. Xu, Z. Kalbarczvk, S. Patel and R. K. Iyer, 'Architecture Support for Depending Against Buffer Overflow Attacks,' http://www.crhc.uiuc.edu/Tjunxu/Paners/EASY_02_arch_support_stack_ overflow.pdf
11 Kaladix Linux, http://www.kaladix.org/docs/information.shtrnl, 2001
12 A. Rubini, J. Corbet, Linux Device Driver, 2nd Edition, O'Reilly, 2001
13 ImSafe, http://imsafe.sourceforge.net/
14 'Department of Defense Trusted Computer System Evaluation Criteria,' DOD 5200.28-STD, 1985
15 U. Flegel, 'Pseudonymizing Unix Log Files,' http://ls6-www.informatik.unidortrnund.de/issi/archive/literature/2002/, 2002
16 P. C. Clark, 'Policy-Enhanced Linux,' 23rd NISSC, 2000
17 Immunix, http://immunix.org/
18 Counterpane Corporation, 'Syslog Overview,' http://www.counterpane.com/syslog-overview.pdf
19 M. Bishop, 'A Standard Audit Trail Format,' Dept. CS. UC. Davis, 1996
20 Inzen Corporation, http://www.inzen.com/
21 W. R. Stevens, Unix Network Programming, 2nd Edition, Prentice Hall, 1998
22 J. Crowcroft, L. Philips, TCP/IP and Linux Protocol Implementation, Johns & Wiley, 2002
23 LMBench, http://www.bitmover.com/lmbench/, 1998
24 Linux Test Project, http://ltp.sourceforge.net/, 2002
25 Computer Associates, eTrust Access Control for UNIX, 2001