Hey gang, I was talking to Mike McGrath the other day on IRC and inquired about the projects use of an IDS. Mike mentioned that project currently employs only hosts.deny type stuff. I recently setup aide for use on a personal server but it looked flexible enough for use in a more robust type environment. The idea behind this write up is to see what others think about employing something like this to give an idea of what aide in particular is capable of. The Name: AIDE (Advanced Intrusion Detection Environment) What it Does: Constructs a database of files as specified in the configuration file (aide.conf). The database stores file attributes including permissions, inode number, user, group, file size, mtime, ctime, atime, growing size, number of links and link name. Based on options specified at compile time, acl, xattr and selinux attributes can be stored as well. When initialized and when checks are run, aide creates a crypto checksum/hash of each file watched using any number of algorithms (e.g. sha1, sha256, etc.). The Config File: This is where the directories/files to be watched (and what in particular is watched on the files) and the directories/files to be excluded, reporting options (default goes to /var/log/aide/aide.log) Misc. Notes: * Postgres can be used to store databases * For usage in multiple machine environments, the database can be stored in a central location and aide ran with --compare to limit resource hogging. * The database and config file can be signed, this makes it so that if a change is manually made to either file, aide will refuse to use it, as the signature will have been voided. * Aide can be run with --update which will create a new database, however it doesn't take effect until manually copied to the check database. This allows updates to be frequently tracked but not put into the check database. The main weakness I noted was in the reporting capabilities. According to the config file notes, reporting can be done via stdout, stdin, stderr, file://, fd: (file descriptor). I only have the one machine and it runs a pretty vanilla config as I don't do anything too fancy with it. With the config I have it seems to work as advertised. So there it is, thoughts? Regards, Jason
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
