FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 09-10-2008, 10:10 PM
Luke Macken
 
Default Intrusion Detection System

Hey all,

A couple of weeks ago I did an initial deployment of an Intrusion
Detection System in our infrastructure. It utilizes the prelude stack,
and is currently powered by auditd and prelude-lml events. Audit gives
us a ridiculous amount of power with regarding to monitoring
everything that happens on a system. Prelude-lml, out of the box
using it's pcre plugin, is able to watch a large variety of service
logs, including many things we are running (asterisk, mod_security,
nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
sudo). Prewikka is the web-based frontend
(https://admin.fedoraproject.org/prewikka).

I created a new 'prelude' puppet module that contains the
configuration for audit, auditsp-plugins, libprelude,
prelude-manager, prewikka, prelude-correlator, and prelude-lml.
Turning a node/servergroup into a sensor entails adding the
following to your class definition: 'include prelude::sensor::audisp'
My initial deployment entailed setting up the prelude-manager
and correlator on a single box, and hooking up a single sensor
(bastion).

So, we're now at the point where we can fine tune our audit rules
before we further deploy this infrastructure.

Some things we want to consider:
- Creating specific security policies for each servergroup
- Define what files/directories/activities we want to monitor on
which machines.
- What events to we want to escalate ?

I opened an infrastructure ticket to track this deployment here:

https://fedorahosted.org/fedora-infrastructure/ticket/833

Suggestions, comments, and ideas are welcome.

Cheers,

luke
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 09-11-2008, 12:29 AM
"Stephen John Smoogen"
 
Default Intrusion Detection System

2008/9/10 Luke Macken <lmacken@redhat.com>:
> Hey all,
>
> A couple of weeks ago I did an initial deployment of an Intrusion
> Detection System in our infrastructure. It utilizes the prelude stack,
> and is currently powered by auditd and prelude-lml events. Audit gives
> us a ridiculous amount of power with regarding to monitoring
> everything that happens on a system. Prelude-lml, out of the box
> using it's pcre plugin, is able to watch a large variety of service
> logs, including many things we are running (asterisk, mod_security,
> nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
> sudo). Prewikka is the web-based frontend
> (https://admin.fedoraproject.org/prewikka).
>

for the EL-5 systems.. did you need to update audit from what is
provided by RHEL-5.2? It looked like it would be needed when I talked
with Steve Grubb because it required stuff that had not been ported to
EL-5. I would be interested in helping you test/document this? Where
can I start?


--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 09-11-2008, 12:40 AM
"Stephen John Smoogen"
 
Default Intrusion Detection System

2008/9/10 Luke Macken <lmacken@redhat.com>:
> Hey all,
>
> A couple of weeks ago I did an initial deployment of an Intrusion
> Detection System in our infrastructure. It utilizes the prelude stack,
> and is currently powered by auditd and prelude-lml events. Audit gives
> us a ridiculous amount of power with regarding to monitoring
> everything that happens on a system. Prelude-lml, out of the box
> using it's pcre plugin, is able to watch a large variety of service
> logs, including many things we are running (asterisk, mod_security,
> nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
> sudo). Prewikka is the web-based frontend
> (https://admin.fedoraproject.org/prewikka).
>

for the EL-5 systems.. did you need to update audit from what is
provided by RHEL-5.2? It looked like it would be needed when I talked
with Steve Grubb because it required stuff that had not been ported to
EL-5. I would be interested in helping you test/document this? Where
can I start?


--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 09-11-2008, 01:12 AM
Luke Macken
 
Default Intrusion Detection System

On Wed, Sep 10, 2008 at 06:29:38PM -0600, Stephen John Smoogen wrote:
> 2008/9/10 Luke Macken <lmacken@redhat.com>:
> > Hey all,
> >
> > A couple of weeks ago I did an initial deployment of an Intrusion
> > Detection System in our infrastructure. It utilizes the prelude stack,
> > and is currently powered by auditd and prelude-lml events. Audit gives
> > us a ridiculous amount of power with regarding to monitoring
> > everything that happens on a system. Prelude-lml, out of the box
> > using it's pcre plugin, is able to watch a large variety of service
> > logs, including many things we are running (asterisk, mod_security,
> > nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
> > sudo). Prewikka is the web-based frontend
> > (https://admin.fedoraproject.org/prewikka).
> >
>
> for the EL-5 systems.. did you need to update audit from what is
> provided by RHEL-5.2? It looked like it would be needed when I talked
> with Steve Grubb because it required stuff that had not been ported to
> EL-5. I would be interested in helping you test/document this? Where
> can I start?

Yep, RHEL's audit is not compiled with '--enable-prelude', so I respun
F-9's. I also built rawhide's prelude stack. All of these packages are
in the fedora-infrastructure repo.

As far as testing goes, I recommend setting up the stack on your home
network to get familar with it (http://people.redhat.com/sgrubb/audit/prelude.txt).

As for documentation, we definitely need to throw together a SOP, and
maybe some sort of audit policy for all of our various server groups.
Before we start tweaking out our audit rules, we should probably start
by defining security policies for our various systems so we can turn
them into audit rules and selinux policy.

luke

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 09-11-2008, 02:13 PM
Bret McMillan
 
Default Intrusion Detection System

Luke Macken wrote:

Hey all,

A couple of weeks ago I did an initial deployment of an Intrusion
Detection System in our infrastructure. It utilizes the prelude stack,
and is currently powered by auditd and prelude-lml events. Audit gives
us a ridiculous amount of power with regarding to monitoring
everything that happens on a system. Prelude-lml, out of the box
using it's pcre plugin, is able to watch a large variety of service
logs, including many things we are running (asterisk, mod_security,
nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd,
sudo). Prewikka is the web-based frontend
(https://admin.fedoraproject.org/prewikka).


Permission denied post-login

But looking forward to seeing this in action

--Bret

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 07:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org