I am looking at host based intrusion detection systems and have concluded that Samhain and Osiris are ahead of the pack as they have central management features which are a big plus.

I need to monitor quite a lot of linux servers, and ideally a bunch of Windows servers too.

After quite a lot of googling I'm still no wiser, as both seem to have their trade offs. Only Osiris has a proper windows agent (samhain needs cygwin which I am reluctant to go round installing just for this). On the other hand osiris doesn't even sign it's config or baseline.


I'd like to know people's experiences; what have you used and which do you think is better?


Opinions welcome.

Obviously (so apologies if this you know this all) HIDS like file integrity checkers rely on preventive measures, hardening and eyeballs. If you're designing this to run in a professional environment you should think about the need (think balance between cost and risk) for having a central loghost, a separate server to serve databases from and a separate management station. Next to that all relies on basic host and network hardening without any effort would be a waste of time (money). Finally (regardless of human intervention being necessary) adding a network-wide file integrity checker setup requires eyeballs. If nobody regularly checks for and reads alerts it would be a waste of time (money) too...


That said I divide (solely my opinion) file integrity checkers in two main categories: passive and active monitoring. Applications like your distro's package management verification functionality (if any), Aide, Integrit, Osiris, Sentinel, Viper, Tripwire (and on w32 stuff like Floke Integrity, the w32 resource kits Sysdiff, Winalysis) and such are passive tools since you run them periodically, while Samhain and Nabou run autonomously and monitor continuously (and Samhain being favourable since it has an LKM component, uses signed databases, detects tampering with itself etc, etc). (There's also other applications you can use: Monit for instance runs continuously and can check MD5 sums too, but of course it's not a *integrity* verification tool.)


I run Aide since it's easy configurable, it's actively supported and maintained and I don't need continuous monitoring. If I did have that requirement I would test if I could get away running it with Webjob or it's add-on (can't remember the name right now) that allows it to do one-to-many and else definately run Samhain since it has the most complete set of features you could ask for and it's actively supported and maintained.

I haven't run any commercial file integrity checkers on Wintendo (only Floke Integrity which is FOSS) and I would say this isn't the forum to ask (since not a *GNU/Linux* security-related question) so I won't expand on it except to say that I have no idea if Samhain would be the most effective tool for the job (differences in platform, threats and detection methods), but if you're bent on running Samhain on w32 you could check if you can compile it with the smallest possible set of checks you require so that it uses less of Cygwin: some tools just need one DLL, like for instance the SSH for Windows package.