Intrusion Detection System
Luke Macken
lmacken at redhat.com
Thu Sep 11 01:12:17 UTC 2008
On Wed, Sep 10, 2008 at 06:29:38PM -0600, Stephen John Smoogen wrote:
> 2008/9/10 Luke Macken <lmacken at redhat.com>:
> > Hey all,
> >
> > A couple of weeks ago I did an initial deployment of an Intrusion
> > Detection System in our infrastructure. It utilizes the prelude stack,
> > and is currently powered by auditd and prelude-lml events. Audit gives
> > us a ridiculous amount of power with regarding to monitoring
> > everything that happens on a system. Prelude-lml, out of the box
> > using it's pcre plugin, is able to watch a large variety of service
> > logs, including many things we are running (asterisk, mod_security,
> > nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
> > sudo). Prewikka is the web-based frontend
> > (https://admin.fedoraproject.org/prewikka).
> >
>
> for the EL-5 systems.. did you need to update audit from what is
> provided by RHEL-5.2? It looked like it would be needed when I talked
> with Steve Grubb because it required stuff that had not been ported to
> EL-5. I would be interested in helping you test/document this? Where
> can I start?
Yep, RHEL's audit is not compiled with '--enable-prelude', so I respun
F-9's. I also built rawhide's prelude stack. All of these packages are
in the fedora-infrastructure repo.
As far as testing goes, I recommend setting up the stack on your home
network to get familar with it (http://people.redhat.com/sgrubb/audit/prelude.txt).
As for documentation, we definitely need to throw together a SOP, and
maybe some sort of audit policy for all of our various server groups.
Before we start tweaking out our audit rules, we should probably start
by defining security policies for our various systems so we can turn
them into audit rules and selinux policy.
luke
More information about the Fedora-infrastructure-list
mailing list