intrusion detection/prevention

[Tom Metro]

ref wrote:
> TRipwire annoyed me as it emailed me masses of stuff
> everyday about what had NOT changed.

When I used Tripwire I also found that it required a lot of maintenance 
in order to make it provide useful reports. If you don't keep up with 
it, it ends up flooding you with useless reports (reporting the same 
changes over and over), which leads to the reports being ignored.

Most file system change detection tools work on a model where they set a 
baseline and then once they detect a deviation from that baseline, they 
email you perpetually until that baseline gets reset. This is the 
secure, paranoid way to do it, but not particularly practical.

Back when I set up my first Debian system I went looking for something 
simpler than Tripwire, and ran across Integrit, and have been using it 
ever since, even though it remains fairly obscure. It was easy to set 
up, and with a few tweaks to to its cron script, I was able to have it 
automatically reset its baseline after changes. This eliminates 
maintenance effort, and it only generates reports if there have been 
changes since the last change occurred, so most of the time it stays quiet.

Note that although these file system change detection tools are often 
promoted as intrusion detection tools, they're actually more beneficial 
for routine system administration by providing a record of what system 
files changed when. This can be useful if system behavior changes and 
you want to track down when a config was modified or when some upgrade 
changed a shared library.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/