Quote:
Originally Posted by unSpawn
So let's be honest about it then: intrusion detection with nightly updates are totally impractical.
Here being "honest" really seems a misinterpretation for wanting convenience without the "hassle", wanting the sweet but not the sour.
|
Well, I thought computers were supposed to make our life easier and not keep as chained to the screen checking logs.
The thing is, package management systems (like rpm) do a good job of monitoring system files, where they come from, when they were last supposed to have changed, etc. This information can easily reveal tampering.
The problem is that the package management system can be tampered with, so that we can't trust it to provide the true results. But if we can protect the packagement management system then it seems logical that we can detect tampering of the system files.
The problem of detecting unauthorised changes to system to files can then be broken down into two steps:
1) Check the package management system hasn't been tampered with (use IDS like tripwire with offsite database)
If ok, then proceed to
2) package management system checks files and reveals those that shouldn't have changed.
And preferably packages updates come from a trusted source and must be signed.
Quote:
Only those aspiring to really tight systems need bother
It always is a trade-off between systems usability and security. Any seasoned admin will agree that (in production systems anyway) change is bad with respect to stability. Less change means easier systems management.
|
Absolutely. But if the tools to monitor those changes automatically are already in place, then perhaps we should use them.
My point is: using tripwire to monitor all system files is laborious when there are frequent updates. But tripwire and rpm could be used in conjunction with each other to detect intrusion more cleverly.
Hope that makes sense...