On Sat, Nov 28, 2009 at 6:57 PM, David McGuffey <davidmcguffey at verizon.net> wrote: > Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system. > > I installed AIDE and did a quick test of AIDE and after initializing the > db and applying the recent cups update, I found that 1700+ files had > changed. Those are a lot of changes to wade through to determine if > they are legit or not. If that is all that AIDE can do, then it is not > "manageable." > > Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? > > DaveM When you are first installing any IDS (I am using AIDE), you need to give a few days to shake things out. You need to start from a known secure state, which is presumably what you have just after an install. If you just installed AIDE and it found 1700+ files "changed", then you should be able to safely assume that all of those changes are expected and acknowledge them. If you can't make that assumption, then you have bigger problems. You definitely do not want an IDS tied in with yum, as that would defeat much of the purpose of an IDS. The whole point is for it to pickup files that changed. If things are changing without your explicit sayso and knowledge, then you have a problem. If there were a way for a package to communicate to the IDS to say "this change is fine, ignore it", then every single exploit would just do that. What you need is a process, not a technical solution. Make sure that running the AIDE update is the next step after you install or update a package. Run the AIDE check nightly and review the output every day. Make sure the output matches anything you specifically did the day before, or things you expect, such as updates to /etc/shadow when someone changes their password. There's no way for the computer to know whether a change is right or wrong, so you must always review it with human eyes.