Samhain? Never tried it, but looked at it a few times.
Cheers, Eric On Sat, Jul 11, 2009 at 08:18:38PM -0400, Andrew Reid wrote: > > Hi all -- > > I run a small network of several hosts, mostly Debian, and > I've become frustrated with the host-based intrustion detection > system I'm using. It works, but the GUI tools is very slow, > and package/security updates generate a lot of noise. We're > expanding the number of hosts we monitor, and it seems to be > scaling poorly. > > In my ideal world, I'd like a Debian-smart integrity > checker. > > Basic features: > > - FOSS. I don't mind paying money for support or docs, > but I'd like the code to be open. > - Separate central monitoring host, integrity agents on > client hosts. > - Tunable/configurable to ignore rapidly-changing files, > give low-severity for enlarged/rotated log files, > good SUID and world-writable detection. > > > Desirable features: > > - A fast, intuitive GUI that lets me isolate false positives > quickly (you can never tune these things perfectly), > and preferrably allows browsing by directory tree. > > > Dream feature: > > - Debian-smart, so when I do security updates, it automatically > white-lists the files changed by the package manager, and > doesn't bug me about them. > > I have direct experience with Samhain/Beltane/Yule, tripwire, > and recently road-tested ossec. They all do the basic features, > and S/B/Y and ossec have web-based GUI interfaces, but they seem > clunky to me, and scale poorly -- I end up manually scanning huge > lists of violations by eye, looking for the change that's *not* in > the /usr/changed-package/zillion-files tree, which is error-prone. > > Searching the Debian package lists, I see references to "osiris" > "aide", and "prelude", although prelude appears to be more of a > combined log-analyzer and network IDS, and what I really want is a > file-system integrity tool. > > A good GUI for tripwire might meet the need, and I'd also be > interested in people's experience with other tools, particulary for > monitoring about 50 hosts. > > -- A. > > -- > Andrew Reid / rei...@bellatlantic.net > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > -- Eric Gerlach, Network Administrator Federation of Students University of Waterloo p: (519) 888-4567 x36329 e: egerl...@feds.uwaterloo.ca -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
