BSMtrace is a utility that processes audit trails, or real-time audit feeds provided by audit pipes. It loads a set of finite state machines or sequences from the supplied configuration file and watches the audit streams for instances of these sequences. For more information, the example bsmtrace.conf file should be reviewed.
The underlying premise behind bsmtrace is that the user can specify sequences of events that are common after or during system compromise. These might include things like:
-
A subject having 50 failed, then one successful login over the course of a week. Something you might expect to find during an SSH brute force.
-
User "nobody" creating files outside of /usr/local/www
-
User "nobody" executing administrative utilities, or utilities like
id(1)
to determine which level of privilege has been acquired -
Detect the execution of common shellcode where certain sequences don't normally appear, for example, the typical execution pattern of bind when it services a DNS request might be:
[1] recvmsg(2)
[2] sendmsg(2)
[1] recvmsg(2)
[2] sendmsg(2)
.
.
.
When the return address of the stack is over-written during a buffer overflow attack, the execution pattern of the process will change, resulting in the execution of system calls outside it's regular sequence:
[1] recvmsg
o buffer overflow is exploited, and now the execution pattern might look
something like this:
[2] socket
[3] bind
[4] listen
[5] accept
[6] dup2
[7] exec
- Users or groups of users executing utilities, looking at (or attempting) files they shouldn't be.
Because bsmtrace acquires it's information from the audit stream, we can be reasonably certain that we can trust the data. Unlike syslog, the BSM audit framework targets Commmon Criteria (CC) requirements, to help ensure that the audit trail is robust, protected and maintains high levels of integrity.
For more information on the security auditing framework see:
A complete EBNF specification (bsmtrace.ebnf) for the policy configuration engine has been included with this source code archive.
Currently, we BSMtrace is built using a basic Makefile. As more platforms are supported, this might change. Currently libpcre is required as a build dep.
On OS X you can install it using home brew
% brew install pcre
Or on FreeBSD, you can use ports or pkg to install it. Then:
% make
To install:
% make install
The following organizations and individuals have contributed to the development of BSMtrace (in alphabetical order):
- Aaron L. Meihm
- Christian S.J. Peron
- Mak Kolybabi
- Marius Halden
- Seccuris Labs
Please report any bugs or comments to: