Hey all,
A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
I created a new 'prelude' puppet module that contains the configuration for audit, auditsp-plugins, libprelude, prelude-manager, prewikka, prelude-correlator, and prelude-lml. Turning a node/servergroup into a sensor entails adding the following to your class definition: 'include prelude::sensor::audisp' My initial deployment entailed setting up the prelude-manager and correlator on a single box, and hooking up a single sensor (bastion).
So, we're now at the point where we can fine tune our audit rules before we further deploy this infrastructure.
Some things we want to consider: - Creating specific security policies for each servergroup - Define what files/directories/activities we want to monitor on which machines. - What events to we want to escalate ?
I opened an infrastructure ticket to track this deployment here:
https://fedorahosted.org/fedora-infrastructure/ticket/833
Suggestions, comments, and ideas are welcome.
Cheers,
luke
2008/9/10 Luke Macken lmacken@redhat.com:
Hey all,
A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start?
On Wed, Sep 10, 2008 at 06:29:38PM -0600, Stephen John Smoogen wrote:
2008/9/10 Luke Macken lmacken@redhat.com:
Hey all,
A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start?
Yep, RHEL's audit is not compiled with '--enable-prelude', so I respun F-9's. I also built rawhide's prelude stack. All of these packages are in the fedora-infrastructure repo.
As far as testing goes, I recommend setting up the stack on your home network to get familar with it (http://people.redhat.com/sgrubb/audit/prelude.txt).
As for documentation, we definitely need to throw together a SOP, and maybe some sort of audit policy for all of our various server groups. Before we start tweaking out our audit rules, we should probably start by defining security policies for our various systems so we can turn them into audit rules and selinux policy.
luke
2008/9/10 Luke Macken lmacken@redhat.com:
Hey all,
A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
for the EL-5 systems.. did you need to update audit from what is provided by RHEL-5.2? It looked like it would be needed when I talked with Steve Grubb because it required stuff that had not been ported to EL-5. I would be interested in helping you test/document this? Where can I start?
Luke Macken wrote:
Hey all,
A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
Permission denied post-login :)
But looking forward to seeing this in action :)
--Bret
infrastructure@lists.fedoraproject.org