[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Intrusion Detection System

Hey all,

A couple of weeks ago I did an initial deployment of an Intrusion
Detection System in our infrastructure.  It utilizes the prelude stack,
and is currently powered by auditd and prelude-lml events.  Audit gives
us a ridiculous amount of power with regarding to monitoring
everything that happens on a system.  Prelude-lml, out of the box
using it's pcre plugin, is able to watch a large variety of service
logs, including many things we are running (asterisk, mod_security,
nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
sudo).  Prewikka is the web-based frontend

I created a new 'prelude' puppet module that contains the
configuration for audit, auditsp-plugins, libprelude,
prelude-manager, prewikka, prelude-correlator, and prelude-lml.
Turning a node/servergroup into a sensor entails adding the
following to your class definition: 'include prelude::sensor::audisp'
My initial deployment entailed setting up the prelude-manager
and correlator on a single box, and hooking up a single sensor

So, we're now at the point where we can fine tune our audit rules
before we further deploy this infrastructure.

Some things we want to consider:
- Creating specific security policies for each servergroup
- Define what files/directories/activities we want to monitor on
  which machines.
- What events to we want to escalate ?

I opened an infrastructure ticket to track this deployment here:


Suggestions, comments, and ideas are welcome.



Attachment: pgpwADM8UIiIa.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]