On Sat, 2009-11-28 at 18:57 -0500, David McGuffey wrote: > Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system. > > I installed AIDE and did a quick test of AIDE and after initializing the > db and applying the recent cups update, I found that 1700+ files had > changed. Those are a lot of changes to wade through to determine if > they are legit or not. If that is all that AIDE can do, then it is not > "manageable." > > Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? > More so as far as I can tell. Don't forget that prelinking will cause files to regularly change their hash value whether they have been updated or not. Aide does have a patch to cater for prelinking (as far as I know it is not in the current release so you'll have to search their archives for it). OSSEC does not know about prelinking, so will frequently report files having changed. Shameless plug: You could take a look at rootkit hunter (http://sourceforge.net/projects/rkhunter/), its file properties test knows about prelinking and can use the local RPM database to verify files, so an updated file won't be flagged as having changed unless someone has deliberately changed it. Another alternative is Samhain. As far as I remember it can handle prelinking, but will report updated files as having been changed. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001