Re: HIDS recommendations?

To: debian-user@lists.debian.org
Subject: Re: HIDS recommendations?
From: Eric Gerlach <egerlach@feds.uwaterloo.ca>
Date: Mon, 13 Jul 2009 15:31:14 -0400
Message-id: <[🔎] 20090713193108.GA12894@wks0082.feds.uwaterloo.ca>
In-reply-to: <[🔎] 200907112018.39022.reidac@bellatlantic.net>
References: <[🔎] 200907112018.39022.reidac@bellatlantic.net>

Samhain?

Never tried it, but looked at it a few times.

Cheers,

Eric

On Sat, Jul 11, 2009 at 08:18:38PM -0400, Andrew Reid wrote:
> 
>   Hi all --
> 
>   I run a small network of several hosts, mostly Debian, and 
> I've become frustrated with the host-based intrustion detection 
> system I'm using.  It works, but the GUI tools is very slow,
> and package/security updates generate a lot of noise.  We're
> expanding the number of hosts we monitor, and it seems to be
> scaling poorly.
> 
>   In my ideal world, I'd like a Debian-smart integrity
> checker.
> 
>   Basic features:
> 
>  - FOSS.  I don't mind paying money for support or docs,
>      but I'd like the code to be open.
>  - Separate central monitoring host, integrity agents on 
>      client hosts.
>  - Tunable/configurable to ignore rapidly-changing files,
>      give low-severity for enlarged/rotated log files,
>      good SUID and world-writable detection.
> 
>   
>   Desirable features:
> 
>   - A fast, intuitive GUI that lets me isolate false positives
>       quickly (you can never tune these things perfectly),
>       and preferrably allows browsing by directory tree.
> 
> 
>   Dream feature:
> 
>   - Debian-smart, so when I do security updates, it automatically
>       white-lists the files changed by the package manager, and  
>       doesn't bug me about them.
> 
>   I have direct experience with Samhain/Beltane/Yule, tripwire,
> and recently road-tested ossec.  They all do the basic features,
> and S/B/Y and ossec have web-based GUI interfaces, but they seem 
> clunky to me, and scale poorly -- I end up manually scanning huge
> lists of violations by eye, looking for the change that's *not* in 
> the /usr/changed-package/zillion-files tree, which is error-prone.
> 
>   Searching the Debian package lists, I see references to "osiris"
> "aide", and "prelude", although prelude appears to be more of a 
> combined log-analyzer and network IDS, and what I really want is a
> file-system integrity tool.  
> 
>   A good GUI for tripwire might meet the need, and I'd also be 
> interested in people's experience with other tools, particulary for 
> monitoring about 50 hosts.
> 
> 					-- A.
> 
> -- 
> Andrew Reid / reidac@bellatlantic.net
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Eric Gerlach, Network Administrator
Federation of Students
University of Waterloo
p: (519) 888-4567 x36329
e: egerlach@feds.uwaterloo.ca

Reply to:

References:
- HIDS recommendations?
  - From: Andrew Reid <reidac@bellatlantic.net>

Prev by Date: Re: a tool that allows to continue copying between HDDs
Next by Date: Re: lvm2 - question about pvmove
Previous by thread: HIDS recommendations?
Next by thread: All things KDE loading slowly.........
Index(es):
- Date
- Thread