Re: HIDS recommendations?
- From: Eric Gerlach <egerlach@xxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Jul 2009 15:31:14 -0400
Samhain?
Never tried it, but looked at it a few times.
Cheers,
Eric
On Sat, Jul 11, 2009 at 08:18:38PM -0400, Andrew Reid wrote:
Hi all --
I run a small network of several hosts, mostly Debian, and
I've become frustrated with the host-based intrustion detection
system I'm using. It works, but the GUI tools is very slow,
and package/security updates generate a lot of noise. We're
expanding the number of hosts we monitor, and it seems to be
scaling poorly.
In my ideal world, I'd like a Debian-smart integrity
checker.
Basic features:
- FOSS. I don't mind paying money for support or docs,
but I'd like the code to be open.
- Separate central monitoring host, integrity agents on
client hosts.
- Tunable/configurable to ignore rapidly-changing files,
give low-severity for enlarged/rotated log files,
good SUID and world-writable detection.
Desirable features:
- A fast, intuitive GUI that lets me isolate false positives
quickly (you can never tune these things perfectly),
and preferrably allows browsing by directory tree.
Dream feature:
- Debian-smart, so when I do security updates, it automatically
white-lists the files changed by the package manager, and
doesn't bug me about them.
I have direct experience with Samhain/Beltane/Yule, tripwire,
and recently road-tested ossec. They all do the basic features,
and S/B/Y and ossec have web-based GUI interfaces, but they seem
clunky to me, and scale poorly -- I end up manually scanning huge
lists of violations by eye, looking for the change that's *not* in
the /usr/changed-package/zillion-files tree, which is error-prone.
Searching the Debian package lists, I see references to "osiris"
"aide", and "prelude", although prelude appears to be more of a
combined log-analyzer and network IDS, and what I really want is a
file-system integrity tool.
A good GUI for tripwire might meet the need, and I'd also be
interested in people's experience with other tools, particulary for
monitoring about 50 hosts.
-- A.
--
Andrew Reid / reidac@xxxxxxxxxxxxxxxx
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
--
Eric Gerlach, Network Administrator
Federation of Students
University of Waterloo
p: (519) 888-4567 x36329
e: egerlach@xxxxxxxxxxxxxxxxx
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- References:
- HIDS recommendations?
- From: Andrew Reid
- HIDS recommendations?
- Prev by Date: Re: a tool that allows to continue copying between HDDs
- Next by Date: Re: lvm2 - question about pvmove
- Previous by thread: HIDS recommendations?
- Next by thread: All things KDE loading slowly.........
- Index(es):
Relevant Pages
|
