The Linux BSM Project

Information:

Community:

Linux Basic Security Module 0.6 Guide/FAQ/HOWTO

Installing the Linux BSM is a reasonably simple process; however, the standard disclaimer applies:

This package is considered alpha software. Although the kernel modifications are small and have been tested thoroughly, the software is still under development and is to be used at your own risk.

1. Building the BSM

1.1 The Install Script

First, gunzip and untar the downloaded file.

tar zxvf linuxbsm-x.xx.tar.gz

At this point you should have a fresh Linux kernel untarred and ready at /usr/src/linux. Now enter the linuxbsm-x.xx directory and run the install script. This will patch your kernel and create a device in /dev.

cd linux-x.xx; ./Install

1.2 Compiling the Kernel

Now you need to go recompile and install the newly modified kernel. See the Kernel-HOWTO for details. If this mirror is down for some reason, go to the main site at http://www.linuxdoc.org and look around there. Or try the extremely abbreviated version below:

Set up your options. Make sure to first select "Prompt for development and/or incomplete code/drivers" under "Code maturity level options" and then the BSM under "Kernel hacking," or the BSM won't show up.

cd /usr/src/linux; make config|menuconfig|xconfig

make dep

Build the kernel - you can use bzImage (which will save an image on your hard drive) or bzdisk, to try the kernel booting off of a floppy first. If you pick bzdisk, you're done - reboot and remember to build your modules!

make bzImage

cp arch/i386/boot/bzImage /boot/vmlinuz-2.2.17

cp System.map /boot/System.map-2.2.17

mkinitrd /boot/initrd-2.2.17.img 2.2.17

Edit your /etc/lilo.conf and reboot. If everything went ok, you'll want to go back and rebuild your modules for the new kernel version:

make modules; make modules_install

Again, this is just a brief summary. If you aren't familiar with this process, consult the HOWTO.

1.3 Building the Tools

Now that you have a new kernel, you need to compile the daemon (auditd) and the audit trail reader (praudit). Go back to the linuxbsm-x.xx directory and type make. Afterwards you can install the tools wherever you want, but keep in mind that the daemon currently saves audit trails to whatever directory it's run from, so putting it in /usr/sbin wouldn't be the best plan.

2 Running the BSM

2.1 Auditing

To audit you run the audit daemon, auditd. It controls the driver in the kernel and writes collected data out to a file (an audit trail). The simplest way to run auditd is to just type it:

./auditd

The daemon will output some debugging information (and an error in the event of failure) and then tell you it has started auditing. The audit trail is in the same directory, with a filename of the form yyyymmddhhmmss.not_terminated, where yy is the year, mm is the month, and so on down to ss for seconds. This is the start time
To finish auditing just find out the daemon's process id and kill it - it will gracefully write out the remaining audit trail data and exit. The file name then changes to one of the form yyyymmddhhmmss.yyyymmddhhmmss; the end time has been appended.

The audit daemon currently accepts four command-line options, and it will only take one of those each time it is run. The options are:

-b size Sets a buffer size in K (well, thousands of bytes), from a minimum of 100 to a maximum of 1000. The default is 500.
-g gid Audits one group
-p pid Audits one process
-u uid Audits one user

2.2 Running praudit

The records inside of the audit trail are saved in a binary format. In order to view these records you have to run the trail file through the praudit tool. The tool just outputs to stdout, so you'll want to redirect the output to a file like this:

./praudit yyyymmddhhmmss.yyyymmddhhmmss > output_file