Re: HIDS recommendations?
Samhain?
Never tried it, but looked at it a few times.
Cheers,
Eric
On Sat, Jul 11, 2009 at 08:18:38PM -0400, Andrew Reid wrote:
>
> Hi all --
>
> I run a small network of several hosts, mostly Debian, and
> I've become frustrated with the host-based intrustion detection
> system I'm using. It works, but the GUI tools is very slow,
> and package/security updates generate a lot of noise. We're
> expanding the number of hosts we monitor, and it seems to be
> scaling poorly.
>
> In my ideal world, I'd like a Debian-smart integrity
> checker.
>
> Basic features:
>
> - FOSS. I don't mind paying money for support or docs,
> but I'd like the code to be open.
> - Separate central monitoring host, integrity agents on
> client hosts.
> - Tunable/configurable to ignore rapidly-changing files,
> give low-severity for enlarged/rotated log files,
> good SUID and world-writable detection.
>
>
> Desirable features:
>
> - A fast, intuitive GUI that lets me isolate false positives
> quickly (you can never tune these things perfectly),
> and preferrably allows browsing by directory tree.
>
>
> Dream feature:
>
> - Debian-smart, so when I do security updates, it automatically
> white-lists the files changed by the package manager, and
> doesn't bug me about them.
>
> I have direct experience with Samhain/Beltane/Yule, tripwire,
> and recently road-tested ossec. They all do the basic features,
> and S/B/Y and ossec have web-based GUI interfaces, but they seem
> clunky to me, and scale poorly -- I end up manually scanning huge
> lists of violations by eye, looking for the change that's *not* in
> the /usr/changed-package/zillion-files tree, which is error-prone.
>
> Searching the Debian package lists, I see references to "osiris"
> "aide", and "prelude", although prelude appears to be more of a
> combined log-analyzer and network IDS, and what I really want is a
> file-system integrity tool.
>
> A good GUI for tripwire might meet the need, and I'd also be
> interested in people's experience with other tools, particulary for
> monitoring about 50 hosts.
>
> -- A.
>
> --
> Andrew Reid / reidac@bellatlantic.net
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Eric Gerlach, Network Administrator
Federation of Students
University of Waterloo
p: (519) 888-4567 x36329
e: egerlach@feds.uwaterloo.ca
Reply to: