[ubuntu-hardened] Linux Intrusion Detection and you
John Richard Moser
nigelenki at comcast.net
Thu Nov 29 02:20:20 GMT 2007
Jeff Schroeder wrote:
> This is really just to get a discussion going, but what does everyone
> think of integrating a decent set of IDS tools into Ubuntu?
I'd like to define "really nice" here.
- Use as much non-intrusive detection as possible, rather than relying
on additional auditing capabilities. This may include...
- Listening to network traffic
- Additional auditing capabilities should be as light as possible, not
disk-filling CPU/RAM hogs.
- Allow the archival of all collected data on a remote server. This is
key, because even if a home setup doesn't, the stuff should be so
nice that you just want to flip a big switch marked "ENTERPRISE" that
just puts the stuff in a central location (yes yes I know...)
- Allow light-weight analysis and viewing. A low-CPU and low-memory
process should be putting this stuff through a pipeline. (1)
As it stands, no such thing I'm aware of exists. Most stuff like OSSEC
requires agents and all kinds of weird analysis and Web applications and
servers and stuff to run. Nothing can just run through your logs and
bundle things together.
Point 1: A low-CPU, low-memory process would need to be pretty intense.
Rather than hard-code, it would have to have a set of rules to analyze
things and (gasp) compile them into some bytecode, then OPTIMIZE the
bytecode, then separate the bytecode and make parts of it control higher
level program logic differently so that a lot of the program would
actually AVOID interpreting the bytecode. Complex stuff.
Bring back the Firefox plushy!
More information about the ubuntu-hardened