[ubuntu-hardened] Linux Intrusion Detection and you

Jeff Schroeder jeffschroed at gmail.com
Wed Oct 31 06:05:48 GMT 2007

This is really just to get a discussion going, but what does everyone
think of integrating a decent set of IDS tools into Ubuntu?

Kees Cook has already mentioned putting auditd in main. Comprehensive
auditing is the first step. This *really* needs to happen along with
the userspace tools like aureport and ausearch. Patches like [1] that
made it into 2.6.23 make auditing a very attractive thing indeed. It
allows you to log the full argv[] of a process that is exec'd from a
tty. Think logging what an admin types. Snare also helps integrate
auditd into a more usable IDS by making it easy to create rules
(instead of running auditctl) and displaying events in a shiny web-ui
if you must. There appears to be an old version[2] available for
Debian Sarge, but it needs updating to work on Ubuntu

One of the pet projects to throw patches at in my free time is
OSSEC[3], a really nice intrusion detection system with a configurable
coorelation engine. Version 1.4 was just released today[4] with new
features like database support and a searchable web ui.

OSSEC upstream, Daniel Cid, is very easy to work with and open to new
ideas / patches. The code is incredibly clean. We should look into
packaging OSSEC and getting it into {Debian,Ubuntu}. Since extreme
portability is a concern, the build scripts are a bit strange though.

[1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=522ed7767e800cff6c650ec64b0ee0677303119c
[1] http://www.gweep.net/~malk/snare_debian.shtml
[2] http://www.ossec.net or #ossec on freenode.
[3] http://www.ossec.net/announcements/v1.4-2007-10-30.txt

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-hardened mailing list