Intrusion Detection System

[Luke Macken]

Hey all,

A couple of weeks ago I did an initial deployment of an Intrusion
Detection System in our infrastructure.  It utilizes the prelude stack,
and is currently powered by auditd and prelude-lml events.  Audit gives
us a ridiculous amount of power with regarding to monitoring
everything that happens on a system.  Prelude-lml, out of the box
using it's pcre plugin, is able to watch a large variety of service
logs, including many things we are running (asterisk, mod_security,
nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
sudo).  Prewikka is the web-based frontend
(https://admin.fedoraproject.org/prewikka).

I created a new 'prelude' puppet module that contains the
configuration for audit, auditsp-plugins, libprelude,
prelude-manager, prewikka, prelude-correlator, and prelude-lml.
Turning a node/servergroup into a sensor entails adding the
following to your class definition: 'include prelude::sensor::audisp'
My initial deployment entailed setting up the prelude-manager
and correlator on a single box, and hooking up a single sensor
(bastion).

So, we're now at the point where we can fine tune our audit rules
before we further deploy this infrastructure.

Some things we want to consider:
- Creating specific security policies for each servergroup
- Define what files/directories/activities we want to monitor on
  which machines.
- What events to we want to escalate ?

I opened an infrastructure ticket to track this deployment here:

     https://fedorahosted.org/fedora-infrastructure/ticket/833

Suggestions, comments, and ideas are welcome.

Cheers,

luke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080910/b4a91ed9/attachment.bin