[CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?
Rob Kampen
rkampen at kampensonline.com
Sun Nov 29 14:55:46 UTC 2009
David McGuffey wrote:
> Starting with a fresh load and after I finish hardening the load
> following the Center for Internet Security (CIS) guidance, I'm wondering
> whether AIDE or OSSEC would be a better intrusion detection system.
>
> I installed AIDE and did a quick test of AIDE and after initializing the
> db and applying the recent cups update, I found that 1700+ files had
> changed. Those are a lot of changes to wade through to determine if
> they are legit or not. If that is all that AIDE can do, then it is not
> "manageable."
>
> Seems to me that any IDS must be tied to the yum update process so that
> one is not dealing with hundreds/thousands of changes that were brought
> in by a yum update that I choose to apply.
>
> Is OSSEC any less noisy?
>
> DaveM
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
I run both of these on my servers.
AIDE is noisy, however it is simple to scroll through the list of files
that it shows and determine that the folders with all the changes relate
to the yum update or install that I know about. After a yum update, I
run another aide --init and cp the new db over the old one - I do this
once a week after the logrotate takes place, thus most days have only
two ~ ten files to look at.
BUT the real outcome is I get to sleep easy knowing that something will
know about every file change.
OSSEC can also be noisy but it also adds some other useful monitoring
and emails me when certain events occur.
Most of these event I know about, thus I delete the email and life is
good. The real benefit is that if the number of log messages suddenly
grows I get warned, if I get 10 tries from one IP address to dovecot
using different hostnames I get warned etc...
I get to choose the level of response, by applying my experience and
expectations to the mix.
I do not think there is any tool you can just set and forget for IDS
functions.
HTH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 196 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20091129/c0baa16b/attachment.vcf>
More information about the CentOS
mailing list