Intrusion Detection (aide review)

Jason jmtaylor90 at gmail.com
Wed Jan 2 20:32:04 UTC 2008 

On Wed, 2008-01-02 at 12:11 -0800, Elliot Lee wrote:
> Hey Jason, just a couple of ideas that may help you improve your proposal...
> 
> On Jan 2, 2008 11:38 AM, Jason <jmtaylor90 at gmail.com> wrote:

<snip>
> 
> Not that this type of functionality isn't a good part of intrusion
> detection, but I think these days intrusion detection really has to
> focus on more than just watching for changes on files... In addition,
> RPM already has a database that checks for all these things and knows
> how to do verification. A quick & dirty solution for file integrity
> checking could be to just run rpm -Va every night, and then keep good
> records of the rpm database md5sum and any package
> installations/upgrades/removals.
> 
> I think in the Fedora environment, intrusion detection might mean also
> being able to detect that host X has repeatedly tried to login to
> these three machines and failed, or that Mike McGrath has logged in
> from a domain or IP range that he has never connected from before, or
> that the resource utilization of a particular service has changed
> drastically in the past few days because someone set up a warez site
> on the Fedora boxes, or that there's a lot of traffic going over
> network ports that we didn't know were supposed to have traffic on
> them... And so on and so forth. None of this stuff is covered by file
> integrity checking (which is still an important thing).

Correct, there is more to intrusion detection than just keeping an eye
on file changes. Like you mentioned, looking at logs for repeated login
attempts (e.g. brute force nonsense), malformed requests to HTTP
services, traffic analysis/benchmarking, keeping installed applications
to required apps only, and then properly configuring those apps, keeping
up to date with security patches, etc. I just wanted to throw this out
there to see if folks thought it was something worth adding to the
toolbox or we are good as is. :D

> > The main weakness I noted was in the reporting capabilities. According
> > to the config file notes, reporting can be done via stdout, stdin,
> > stderr, file://, fd: (file descriptor).
> 
> Sounds like AIDE already does some postgres stuff - it might be fairly
> easy to have it dump more info into the DB so that one can create a
> simple web reporting interface using standard tools.
> 
> I remember a long time ago when I had Tripwire installed on a system,
> the biggest problem was that it generated a lot of false positives. A
> file integrity checker is only good if it generates useful low-noise
> results, so this makes intelligent reporting tools very important.

Indeed, lest we fall into the GIGO trap :D

> Best,
> -- Elliot

-Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080102/ec929db2/attachment.bin

More information about the infrastructure mailing list