Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade through to determine if they are legit or not. If that is all that AIDE can do, then it is not "manageable." Seems to me that any IDS must be tied to the yum update process so that one is not dealing with hundreds/thousands of changes that were brought in by a yum update that I choose to apply. Is OSSEC any less noisy? DaveM
David McGuffey wrote:> Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? >Nope. -Alan
David McGuffey wrote:> Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system.<snip> We've just started with OSSEC at work. I'm told they'd tried AIDE before I started, and it gave a *humongous* number of warnings. OSSEC is bad enough, when I do a yum update, for example. mark -- "This country has medicalized social problems. Instead of being concerned about widescale unemployment, underemployment, and job outsourcing, people act as if the problem were nothing more than the victims being depressed, as if depression always took place in a vacuum." - M. DuPree
On Sat, Nov 28, 2009 at 6:57 PM, David McGuffey <davidmcguffey at verizon.net> wrote:> Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system. > > I installed AIDE and did a quick test of AIDE and after initializing the > db and applying the recent cups update, I found that 1700+ files had > changed. ?Those are a lot of changes to wade through to determine if > they are legit or not. If that is all that AIDE can do, then it is not > "manageable." > > Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? > > DaveMWhen you are first installing any IDS (I am using AIDE), you need to give a few days to shake things out. You need to start from a known secure state, which is presumably what you have just after an install. If you just installed AIDE and it found 1700+ files "changed", then you should be able to safely assume that all of those changes are expected and acknowledge them. If you can't make that assumption, then you have bigger problems. You definitely do not want an IDS tied in with yum, as that would defeat much of the purpose of an IDS. The whole point is for it to pickup files that changed. If things are changing without your explicit sayso and knowledge, then you have a problem. If there were a way for a package to communicate to the IDS to say "this change is fine, ignore it", then every single exploit would just do that. What you need is a process, not a technical solution. Make sure that running the AIDE update is the next step after you install or update a package. Run the AIDE check nightly and review the output every day. Make sure the output matches anything you specifically did the day before, or things you expect, such as updates to /etc/shadow when someone changes their password. There's no way for the computer to know whether a change is right or wrong, so you must always review it with human eyes.
David McGuffey wrote:> Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system. > > I installed AIDE and did a quick test of AIDE and after initializing the > db and applying the recent cups update, I found that 1700+ files had > changed. Those are a lot of changes to wade through to determine if > they are legit or not. If that is all that AIDE can do, then it is not > "manageable." > > Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? > > DaveM > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >I run both of these on my servers. AIDE is noisy, however it is simple to scroll through the list of files that it shows and determine that the folders with all the changes relate to the yum update or install that I know about. After a yum update, I run another aide --init and cp the new db over the old one - I do this once a week after the logrotate takes place, thus most days have only two ~ ten files to look at. BUT the real outcome is I get to sleep easy knowing that something will know about every file change. OSSEC can also be noisy but it also adds some other useful monitoring and emails me when certain events occur. Most of these event I know about, thus I delete the email and life is good. The real benefit is that if the number of log messages suddenly grows I get warned, if I get 10 tries from one IP address to dovecot using different hostnames I get warned etc... I get to choose the level of response, by applying my experience and expectations to the mix. I do not think there is any tool you can just set and forget for IDS functions. HTH -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 196 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20091129/c0baa16b/attachment-0003.vcf>
On Sun, Nov 29, 2009 at 9:55 AM, Rob Kampen <rkampen at kampensonline.com> wrote:> David McGuffey wrote: >> >> Starting with a fresh load and after I finish hardening the load >> following the Center for Internet Security (CIS) guidance, I'm wondering >> whether AIDE or OSSEC would be a better intrusion detection system. >> >> I installed AIDE and did a quick test of AIDE and after initializing the >> db and applying the recent cups update, I found that 1700+ files had >> changed. ?Those are a lot of changes to wade through to determine if >> they are legit or not. If that is all that AIDE can do, then it is not >> "manageable." >> >> Seems to me that any IDS must be tied to the yum update process so that >> one is not dealing with hundreds/thousands of changes that were brought >> in by a yum update that I choose to apply. >> >> Is OSSEC any less noisy? >> >> DaveM >> >> > I run both of these on my servers. > AIDE is noisy, however it is simple to scroll through the list of files that > it shows and determine that the folders with all the changes relate to the > yum update or install that I know about. After a yum update, I run another > aide --init and cp the new db over the old one - I do this once a week after > the logrotate takes place, thus most days have only two ~ ten files to look > at. > BUT the real outcome is I get to sleep easy knowing that something will know > about every file change. > OSSEC can also be noisy but it also adds some other useful monitoring and > emails me when certain events occur. > Most of these event I know about, thus I delete the email and life is good. > The real benefit is that if the number of log messages suddenly grows I get > warned, if I get 10 tries from one IP address to dovecot using different > hostnames I get warned etc... > I get to choose the level of response, by applying my experience and > expectations to the mix. > I do not think there is any tool you can just set and forget for IDS > functions. > HTH >It should also be mentioned that all these tools do is look for changes to files. Using them them as an IDS is only a matter of how you choose to perceive the reports that are generated. They can and should also easily be used for configuration management (monitoring systems for unauthorized changes), and can play a big role in generating an audit trail of changes made on a system. This is also why you can't "set and forget". The intended use for the reports happens on the user side, not the tech side.
On Sat, 2009-11-28 at 18:57 -0500, David McGuffey wrote:> Starting with a fresh load and after I finish hardening the load > following the Center for Internet Security (CIS) guidance, I'm wondering > whether AIDE or OSSEC would be a better intrusion detection system. > > I installed AIDE and did a quick test of AIDE and after initializing the > db and applying the recent cups update, I found that 1700+ files had > changed. Those are a lot of changes to wade through to determine if > they are legit or not. If that is all that AIDE can do, then it is not > "manageable." > > Seems to me that any IDS must be tied to the yum update process so that > one is not dealing with hundreds/thousands of changes that were brought > in by a yum update that I choose to apply. > > Is OSSEC any less noisy? >More so as far as I can tell. Don't forget that prelinking will cause files to regularly change their hash value whether they have been updated or not. Aide does have a patch to cater for prelinking (as far as I know it is not in the current release so you'll have to search their archives for it). OSSEC does not know about prelinking, so will frequently report files having changed. Shameless plug: You could take a look at rootkit hunter (http://sourceforge.net/projects/rkhunter/), its file properties test knows about prelinking and can use the local RPM database to verify files, so an updated file won't be flagged as having changed unless someone has deliberately changed it. Another alternative is Samhain. As far as I remember it can handle prelinking, but will report updated files as having been changed. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001