Search:

 

Bandit:

• Overview
• Code, Collaboration, and Development
• FAQs
• Use Cases

Community:

• Contacts
• Planet Bandit
• Technologies we like
• Blogs we read
• Links

Toolbox:

• What links here
• Related changes
• Upload file
• Special pages
• Printable version

• Participate
• Download
• Bandit Bloggers

Personal tools

• Create an account or log in

From Bandit-project.org

Case 1

Scenario: A valid user on a mission-critical Linux machine at XYZ corporation wants to perform some operations that require specific rights in the file system. XYZ corporate governance requires quarterly audits of security-related activities on this machine's services.

Results: The Linux file system is instrumented for LAF (Linux/Lightweight Auditing Framework), and OpenXDAS is configured to submit kernel module audit records through LAF. In this configuration, OpenXDAS is simply a text formatting library on top of LAF, which is a free-form text logging facility. OpenXDAS defines a well-designed and widely applicable audit event taxonomy (defined in the XDAS specification from the OpenGroup) to ensure that all events can be easily categorized. This categorization allows corporate auditors to use standards-based, third-party compliance analysis tools to determine in a general fashion if anyone has been able to access the Linux file system in a manner that is inconsistent with their assigned rights. These same tools also allow auditors to classify and analyze statistics regarding attempts during the audit period of users to attempt access the file system outside of their assigned rights. Note that these attempts may be due to subversive activities on the part of specific users, or they may simply be a poorly designed application with a user interface that promotes bad choices. Further analysis of usage patterns will determine the actual cause of these failed attempts.

Also: Since ARF is open source it can be instrumented in all applications in Linux and be part of the different Linux distributions. So more than just file access will be recorded, eventually all activity will be recorded in a common mechanism.

Case 2

Scenario: An application developer wants to add auditing instrumentation to her open source accounting application, but can't decide whether to add Windows event system calls, or Linux syslog calls. The product is initially targeting both platforms, and auditing instrumentation would be desirable for both platforms. She briefly considers adding both calls within #ifdefs in the C++ code base, and moves on to the natural extension of the concept - designing an auditing abstraction layer into her application so she can isolate the system-specific code to one small area of her code base. She then hears about Bandit ARF and the OpenXDAS project, and decides to go with Bandit's cross-platform solution to auditing.

Results: She is able to instrument her application using an open-standards based API and data model, rich enough to meet her needs - better in fact that either Linux syslog or Windows events. By instrumenting with OpenXDAS, she gains immediate portability, not only of the API, but also of the event taxonomy provided by OpenXDAS. Had she gone with an audit system abstraction layer, she may have gained a degree of API portability, but she would still have had disparate event taxonomies on each system. Those taxonomies would have to be mapped and consolidated at the event logging server in order to allow for consistent analysis of both platforms. The taxonomy used by OpenXDAS is based on the OpenGroup XDAS standard.