[CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?

Sun Nov 29 20:31:20 UTC 2009
John Horne <john.horne at plymouth.ac.uk>

On Sat, 2009-11-28 at 18:57 -0500, David McGuffey wrote:
> Starting with a fresh load and after I finish hardening the load
> following the Center for Internet Security (CIS) guidance, I'm wondering
> whether AIDE or OSSEC would be a better intrusion detection system.
> 
> I installed AIDE and did a quick test of AIDE and after initializing the
> db and applying the recent cups update, I found that 1700+ files had
> changed.  Those are a lot of changes to wade through to determine if
> they are legit or not. If that is all that AIDE can do, then it is not
> "manageable."
> 
> Seems to me that any IDS must be tied to the yum update process so that
> one is not dealing with hundreds/thousands of changes that were brought
> in by a yum update that I choose to apply.
> 
> Is OSSEC any less noisy?
> 
More so as far as I can tell.

Don't forget that prelinking will cause files to regularly change their
hash value whether they have been updated or not. Aide does have a patch
to cater for prelinking (as far as I know it is not in the current
release so you'll have to search their archives for it). OSSEC does not
know about prelinking, so will frequently report files having changed.

Shameless plug: You could take a look at rootkit hunter
(http://sourceforge.net/projects/rkhunter/), its file properties test
knows about prelinking and can use the local RPM database to verify
files, so an updated file won't be flagged as having changed unless
someone has deliberately changed it.

Another alternative is Samhain. As far as I remember it can handle
prelinking, but will report updated files as having been changed.




John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001