On Sun, Nov 29, 2009 at 9:55 AM, Rob Kampen <rkampen at kampensonline.com> wrote: > David McGuffey wrote: >> >> Starting with a fresh load and after I finish hardening the load >> following the Center for Internet Security (CIS) guidance, I'm wondering >> whether AIDE or OSSEC would be a better intrusion detection system. >> >> I installed AIDE and did a quick test of AIDE and after initializing the >> db and applying the recent cups update, I found that 1700+ files had >> changed. Those are a lot of changes to wade through to determine if >> they are legit or not. If that is all that AIDE can do, then it is not >> "manageable." >> >> Seems to me that any IDS must be tied to the yum update process so that >> one is not dealing with hundreds/thousands of changes that were brought >> in by a yum update that I choose to apply. >> >> Is OSSEC any less noisy? >> >> DaveM >> >> > I run both of these on my servers. > AIDE is noisy, however it is simple to scroll through the list of files that > it shows and determine that the folders with all the changes relate to the > yum update or install that I know about. After a yum update, I run another > aide --init and cp the new db over the old one - I do this once a week after > the logrotate takes place, thus most days have only two ~ ten files to look > at. > BUT the real outcome is I get to sleep easy knowing that something will know > about every file change. > OSSEC can also be noisy but it also adds some other useful monitoring and > emails me when certain events occur. > Most of these event I know about, thus I delete the email and life is good. > The real benefit is that if the number of log messages suddenly grows I get > warned, if I get 10 tries from one IP address to dovecot using different > hostnames I get warned etc... > I get to choose the level of response, by applying my experience and > expectations to the mix. > I do not think there is any tool you can just set and forget for IDS > functions. > HTH > It should also be mentioned that all these tools do is look for changes to files. Using them them as an IDS is only a matter of how you choose to perceive the reports that are generated. They can and should also easily be used for configuration management (monitoring systems for unauthorized changes), and can play a big role in generating an audit trail of changes made on a system. This is also why you can't "set and forget". The intended use for the reports happens on the user side, not the tech side.