HIDS recommendations?
Hi all --
I run a small network of several hosts, mostly Debian, and
I've become frustrated with the host-based intrustion detection
system I'm using. It works, but the GUI tools is very slow,
and package/security updates generate a lot of noise. We're
expanding the number of hosts we monitor, and it seems to be
scaling poorly.
In my ideal world, I'd like a Debian-smart integrity
checker.
Basic features:
- FOSS. I don't mind paying money for support or docs,
but I'd like the code to be open.
- Separate central monitoring host, integrity agents on
client hosts.
- Tunable/configurable to ignore rapidly-changing files,
give low-severity for enlarged/rotated log files,
good SUID and world-writable detection.
Desirable features:
- A fast, intuitive GUI that lets me isolate false positives
quickly (you can never tune these things perfectly),
and preferrably allows browsing by directory tree.
Dream feature:
- Debian-smart, so when I do security updates, it automatically
white-lists the files changed by the package manager, and
doesn't bug me about them.
I have direct experience with Samhain/Beltane/Yule, tripwire,
and recently road-tested ossec. They all do the basic features,
and S/B/Y and ossec have web-based GUI interfaces, but they seem
clunky to me, and scale poorly -- I end up manually scanning huge
lists of violations by eye, looking for the change that's *not* in
the /usr/changed-package/zillion-files tree, which is error-prone.
Searching the Debian package lists, I see references to "osiris"
"aide", and "prelude", although prelude appears to be more of a
combined log-analyzer and network IDS, and what I really want is a
file-system integrity tool.
A good GUI for tripwire might meet the need, and I'd also be
interested in people's experience with other tools, particulary for
monitoring about 50 hosts.
-- A.
--
Andrew Reid / reidac@bellatlantic.net
Reply to: