intrusion detection/prevention

Dan Ritter dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org
Tue Jun 30 16:36:55 EDT 2009 

On Tue, Jun 30, 2009 at 04:02:51PM -0400, Tom Metro wrote:
> ref wrote:
> > TRipwire annoyed me as it emailed me masses of stuff
> > everyday about what had NOT changed.
> 
> When I used Tripwire I also found that it required a lot of maintenance 
> in order to make it provide useful reports. If you don't keep up with 
> it, it ends up flooding you with useless reports (reporting the same 
> changes over and over), which leads to the reports being ignored.
> 
> Most file system change detection tools work on a model where they set a 
> baseline and then once they detect a deviation from that baseline, they 
> email you perpetually until that baseline gets reset. This is the 
> secure, paranoid way to do it, but not particularly practical.

It's the only really useful way. There are two tricks:

- make it easy to reset the baseline
	- a single word alias is best

- map exactly what parts of your filesystems you can ignore
	- in particular, you need to have the monitor
	  automatically ignore logs, temp files, pidfiles, mail
	  spools and user home directories

> Back when I set up my first Debian system I went looking for something 
> simpler than Tripwire, and ran across Integrit, and have been using it 
> ever since, even though it remains fairly obscure. It was easy to set 
> up, and with a few tweaks to to its cron script, I was able to have it 
> automatically reset its baseline after changes. This eliminates 
> maintenance effort, and it only generates reports if there have been 
> changes since the last change occurred, so most of the time it stays quiet.

Integrit is pretty good. So is AIDE.

> Note that although these file system change detection tools are often 
> promoted as intrusion detection tools, they're actually more beneficial 
> for routine system administration by providing a record of what system 
> files changed when. This can be useful if system behavior changes and 
> you want to track down when a config was modified or when some upgrade 
> changed a shared library.

Though there are three better tools:

- keep your configurations in a version control system
- and/or keep snapshots of your configurations (or whole
  filesystems)
- look in your OS package installation log (/var/log/dpkg, for
  instance)

-dsr-

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.

You can't defend freedom by getting rid of it.

More information about the Discuss mailing list