Quoting Russ Allbery ([EMAIL PROTECTED]): > Yup. IDS systems are wonderful. But they do require discipline.
Indeed. I'd still like to see a trial project, to see _if_ a default IDS setup (Samhain, AIDE, or Prelude-IDS) can be made to be generally useful. (Yeah, I know: "Sooner if you help.") > That's really the take-home point with all of these discussions. There > are a lot of great security tools available if you're paying attention and > really think about what you're doing, clear anomalies, and make sure that > everything they report really *is* unusual. One of the take-home lessons of my (referenced) article about the 2003 server compromise is that the Debian Project sysadmins caught it promptly _mostly_ because they reasoned that simultaneous kernel oopses across multiple hosts were too suspicious to ignore. The nightly report from AIDE, later, merely confirmed what they already knew. > This is, for example, one of the reasons why I think Debian's logcheck > package is such a good idea. Agreed. -- "Zees American words are too much. Zen our culture you'll wrench; With 'le parking' 'le weekend' & such. Wiz our children we'll be out of touch." Eef you anglicize French, -- L'Academie Francaise in a nutshell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
