Linux Basic Security Module 0.6 Guide/FAQ/HOWTOInstalling the Linux BSM is a reasonably simple process; however, the standard disclaimer applies:
This package is considered alpha software. Although the kernel modifications are small and have been tested thoroughly, the software is still under development and is to be used at your own risk.
1. Building the BSM
1.1 The Install ScriptFirst, gunzip and untar the downloaded file.
tar zxvf linuxbsm-x.xx.tar.gz
At this point you should have a fresh Linux kernel untarred and ready at /usr/src/linux. Now enter the linuxbsm-x.xx directory and run the install script. This will patch your kernel and create a device in /dev.
cd linux-x.xx; ./Install
1.2 Compiling the KernelNow you need to go recompile and install the newly modified kernel. See the Kernel-HOWTO for details. If this mirror is down for some reason, go to the main site at http://www.linuxdoc.org and look around there. Or try the extremely abbreviated version below:
Set up your options. Make sure to first select "Prompt for development and/or incomplete code/drivers" under "Code maturity level options" and then the BSM under "Kernel hacking," or the BSM won't show up.
cd /usr/src/linux; make config|menuconfig|xconfig
Build the kernel - you can use bzImage (which will save an image on your hard drive) or bzdisk, to try the kernel booting off of a floppy first. If you pick bzdisk, you're done - reboot and remember to build your modules!
cp arch/i386/boot/bzImage /boot/vmlinuz-2.2.17
cp System.map /boot/System.map-2.2.17
mkinitrd /boot/initrd-2.2.17.img 2.2.17
Edit your /etc/lilo.conf and reboot. If everything went ok, you'll want to go back and rebuild your modules for the new kernel version:
make modules; make modules_install
Again, this is just a brief summary. If you aren't familiar with this process, consult the HOWTO.
1.3 Building the ToolsNow that you have a new kernel, you need to compile the daemon (auditd) and the audit trail reader (praudit). Go back to the linuxbsm-x.xx directory and type make. Afterwards you can install the tools wherever you want, but keep in mind that the daemon currently saves audit trails to whatever directory it's run from, so putting it in /usr/sbin wouldn't be the best plan.
2 Running the BSM
2.1 AuditingTo audit you run the audit daemon, auditd. It controls the driver in the kernel and writes collected data out to a file (an audit trail). The simplest way to run auditd is to just type it:
The daemon will output some debugging information (and an error in the event of failure) and then tell you it has started auditing. The audit trail is in the same directory, with a filename of the form yyyymmddhhmmss.not_terminated, where yy is the year, mm is the month, and so on down to ss for seconds. This is the start time
To finish auditing just find out the daemon's process id and kill it - it will gracefully write out the remaining audit trail data and exit. The file name then changes to one of the form yyyymmddhhmmss.yyyymmddhhmmss; the end time has been appended.
The audit daemon currently accepts four command-line options, and it will only take one of those each time it is run. The options are:
2.2 Running prauditThe records inside of the audit trail are saved in a binary format. In order to view these records you have to run the trail file through the praudit tool. The tool just outputs to stdout, so you'll want to redirect the output to a file like this:
./praudit yyyymmddhhmmss.yyyymmddhhmmss > output_file
Last modified 11/22/00 firstname.lastname@example.org