Hey Jason, just a couple of ideas that may help you improve your proposal... On Jan 2, 2008 11:38 AM, Jason <jmtaylor90@xxxxxxxxx> wrote: > What it Does: Constructs a database of files as specified in the > configuration file (aide.conf). The database stores file attributes > including permissions, inode number, user, group, file size, mtime, > ctime, atime, growing size, number of links and link name. Based on > options specified at compile time, acl, xattr and selinux attributes can > be stored as well. When initialized and when checks are run, aide > creates a crypto checksum/hash of each file watched using any number of > algorithms (e.g. sha1, sha256, etc.). Not that this type of functionality isn't a good part of intrusion detection, but I think these days intrusion detection really has to focus on more than just watching for changes on files... In addition, RPM already has a database that checks for all these things and knows how to do verification. A quick & dirty solution for file integrity checking could be to just run rpm -Va every night, and then keep good records of the rpm database md5sum and any package installations/upgrades/removals. I think in the Fedora environment, intrusion detection might mean also being able to detect that host X has repeatedly tried to login to these three machines and failed, or that Mike McGrath has logged in from a domain or IP range that he has never connected from before, or that the resource utilization of a particular service has changed drastically in the past few days because someone set up a warez site on the Fedora boxes, or that there's a lot of traffic going over network ports that we didn't know were supposed to have traffic on them... And so on and so forth. None of this stuff is covered by file integrity checking (which is still an important thing). > The main weakness I noted was in the reporting capabilities. According > to the config file notes, reporting can be done via stdout, stdin, > stderr, file://, fd: (file descriptor). Sounds like AIDE already does some postgres stuff - it might be fairly easy to have it dump more info into the DB so that one can create a simple web reporting interface using standard tools. I remember a long time ago when I had Tripwire installed on a system, the biggest problem was that it generated a lot of false positives. A file integrity checker is only good if it generates useful low-noise results, so this makes intelligent reporting tools very important. Best, -- Elliot _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
