[ubuntu-hardened] Linux Intrusion Detection and you

John Richard Moser nigelenki at comcast.net
Thu Nov 29 02:20:20 GMT 2007

Jeff Schroeder wrote:
> This is really just to get a discussion going, but what does everyone
> think of integrating a decent set of IDS tools into Ubuntu?

I'd like to define "really nice" here.

  - Use as much non-intrusive detection as possible, rather than relying
    on additional auditing capabilities.  This may include...
    - Logs
    - Listening to network traffic

  - Additional auditing capabilities should be as light as possible, not
    disk-filling CPU/RAM hogs.

  - Allow the archival of all collected data on a remote server.  This is
    key, because even if a home setup doesn't, the stuff should be so
    nice that you just want to flip a big switch marked "ENTERPRISE" that
    just puts the stuff in a central location (yes yes I know...)

  - Allow light-weight analysis and viewing.  A low-CPU and low-memory
    process should be putting this stuff through a pipeline. (1)

As it stands, no such thing I'm aware of exists.  Most stuff like OSSEC 
requires agents and all kinds of weird analysis and Web applications and 
servers and stuff to run.  Nothing can just run through your logs and 
bundle things together.

Point 1:  A low-CPU, low-memory process would need to be pretty intense. 
  Rather than hard-code, it would have to have a set of rules to analyze 
things and (gasp) compile them into some bytecode, then OPTIMIZE the 
bytecode, then separate the bytecode and make parts of it control higher 
level program logic differently so that a lot of the program would 
actually AVOID interpreting the bytecode.  Complex stuff.


Bring back the Firefox plushy!

More information about the ubuntu-hardened mailing list