Re: AIDE or OSSEC on CentOS 5.4 x86_64?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On Sun, Nov 29, 2009 at 7:55 AM, Rob Kampen <rkampen@xxxxxxxxxxxxxxxxx> wrote:
David McGuffey wrote:
Starting with a fresh load and after I finish hardening the load
following the Center for Internet Security (CIS) guidance, I'm wondering
whether AIDE or OSSEC would be a better intrusion detection system.

I installed AIDE and did a quick test of AIDE and after initializing the
db and applying the recent cups update, I found that 1700+ files had
changed.  Those are a lot of changes to wade through to determine if
they are legit or not. If that is all that AIDE can do, then it is not
"manageable."

Seems to me that any IDS must be tied to the yum update process so that
one is not dealing with hundreds/thousands of changes that were brought
in by a yum update that I choose to apply.

Is OSSEC any less noisy?

DaveM



Also, check out http://ftimes.sourceforge.net/FTimes/index.shtml

Even if you choose another tool, I recommend reading their paper.
http://ftimes.sourceforge.net/FTimes/Papers.shtml

And the related tools hashdig and XMagic are worth a look.
 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
 
I run both of these on my servers.
AIDE is noisy, however it is simple to scroll through the list of files that it shows and determine that the folders with all the changes relate to the yum update or install that I know about. After a yum update, I run another aide --init and cp the new db over the old one - I do this once a week after the logrotate takes place, thus most days have only two ~ ten files to look at.
BUT the real outcome is I get to sleep easy knowing that something will know about every file change.
OSSEC can also be noisy but it also adds some other useful monitoring and emails me when certain events occur.
Most of these event I know about, thus I delete the email and life is good. The real benefit is that if the number of log messages suddenly grows I get warned, if I get 10 tries from one IP address to dovecot using different hostnames I get warned etc...
I get to choose the level of response, by applying my experience and expectations to the mix.
I do not think there is any tool you can just set and forget for IDS functions.
HTH

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




--
Drew Einhorn
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux