A couple of weeks ago I did an initial deployment of an Intrusion
Detection System in our infrastructure. It utilizes the prelude stack,
and is currently powered by auditd and prelude-lml events. Audit gives
us a ridiculous amount of power with regarding to monitoring
everything that happens on a system. Prelude-lml, out of the box
using it's pcre plugin, is able to watch a large variety of service
logs, including many things we are running (asterisk, mod_security,
nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
sudo). Prewikka is the web-based frontend
I created a new 'prelude' puppet module that contains the
configuration for audit, auditsp-plugins, libprelude,
prelude-manager, prewikka, prelude-correlator, and prelude-lml.
Turning a node/servergroup into a sensor entails adding the
following to your class definition: 'include prelude::sensor::audisp'
My initial deployment entailed setting up the prelude-manager
and correlator on a single box, and hooking up a single sensor
So, we're now at the point where we can fine tune our audit rules
before we further deploy this infrastructure.
Some things we want to consider:
- Creating specific security policies for each servergroup
- Define what files/directories/activities we want to monitor on
- What events to we want to escalate ?
I opened an infrastructure ticket to track this deployment here:
Suggestions, comments, and ideas are welcome.