[CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?

Sun Nov 29 04:11:32 UTC 2009
Brian Mathis <brian.mathis at gmail.com>

On Sat, Nov 28, 2009 at 6:57 PM, David McGuffey
<davidmcguffey at verizon.net> wrote:
> Starting with a fresh load and after I finish hardening the load
> following the Center for Internet Security (CIS) guidance, I'm wondering
> whether AIDE or OSSEC would be a better intrusion detection system.
>
> I installed AIDE and did a quick test of AIDE and after initializing the
> db and applying the recent cups update, I found that 1700+ files had
> changed.  Those are a lot of changes to wade through to determine if
> they are legit or not. If that is all that AIDE can do, then it is not
> "manageable."
>
> Seems to me that any IDS must be tied to the yum update process so that
> one is not dealing with hundreds/thousands of changes that were brought
> in by a yum update that I choose to apply.
>
> Is OSSEC any less noisy?
>
> DaveM


When you are first installing any IDS (I am using AIDE), you need to
give a few days to shake things out.  You need to start from a known
secure state, which is presumably what you have just after an install.
 If you just installed AIDE and it found 1700+ files "changed", then
you should be able to safely assume that all of those changes are
expected and acknowledge them.  If you can't make that assumption,
then you have bigger problems.

You definitely do not want an IDS tied in with yum, as that would
defeat much of the purpose of an IDS.  The whole point is for it to
pickup files that changed.  If things are changing without your
explicit sayso and knowledge, then you have a problem.  If there were
a way for a package to communicate to the IDS to say "this change is
fine, ignore it", then every single exploit would just do that.

What you need is a process, not a technical solution.  Make sure that
running the AIDE update is the next step after you install or update a
package. Run the AIDE check nightly and review the output every day.
Make sure the output matches anything you specifically did the day
before, or things you expect, such as updates to /etc/shadow when
someone changes their password.

There's no way for the computer to know whether a change is right or
wrong, so you must always review it with human eyes.