[CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?

Sun Nov 29 16:05:08 UTC 2009
drew einhorn <drew.einhorn at gmail.com>

On Sun, Nov 29, 2009 at 7:55 AM, Rob Kampen <rkampen at kampensonline.com>wrote:

> David McGuffey wrote:
>
>> Starting with a fresh load and after I finish hardening the load
>> following the Center for Internet Security (CIS) guidance, I'm wondering
>> whether AIDE or OSSEC would be a better intrusion detection system.
>>
>> I installed AIDE and did a quick test of AIDE and after initializing the
>> db and applying the recent cups update, I found that 1700+ files had
>> changed.  Those are a lot of changes to wade through to determine if
>> they are legit or not. If that is all that AIDE can do, then it is not
>> "manageable."
>>
>> Seems to me that any IDS must be tied to the yum update process so that
>> one is not dealing with hundreds/thousands of changes that were brought
>> in by a yum update that I choose to apply.
>>
>> Is OSSEC any less noisy?
>>
>> DaveM
>>
>>
>>
Also, check out http://ftimes.sourceforge.net/FTimes/index.shtml

Even if you choose another tool, I recommend reading their paper.
http://ftimes.sourceforge.net/FTimes/Papers.shtml

And the related tools hashdig and XMagic are worth a look.


> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
> I run both of these on my servers.
> AIDE is noisy, however it is simple to scroll through the list of files
> that it shows and determine that the folders with all the changes relate to
> the yum update or install that I know about. After a yum update, I run
> another aide --init and cp the new db over the old one - I do this once a
> week after the logrotate takes place, thus most days have only two ~ ten
> files to look at.
> BUT the real outcome is I get to sleep easy knowing that something will
> know about every file change.
> OSSEC can also be noisy but it also adds some other useful monitoring and
> emails me when certain events occur.
> Most of these event I know about, thus I delete the email and life is good.
> The real benefit is that if the number of log messages suddenly grows I get
> warned, if I get 10 tries from one IP address to dovecot using different
> hostnames I get warned etc...
> I get to choose the level of response, by applying my experience and
> expectations to the mix.
> I do not think there is any tool you can just set and forget for IDS
> functions.
> HTH
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>


-- 
Drew Einhorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20091129/67d1fb89/attachment-0005.html>