Obviously (so apologies if this you know this all) HIDS like file integrity checkers rely on preventive measures, hardening and eyeballs. If you're designing this to run in a professional environment you should think about the need (think balance between cost and risk) for having a central loghost, a separate server to serve databases from and a separate management station. Next to that all relies on basic host and network hardening without any effort would be a waste of time (money). Finally (regardless of human intervention being necessary) adding a network-wide file integrity checker setup requires eyeballs. If nobody regularly checks for and reads alerts it would be a waste of time (money) too...
That said I divide (solely my opinion) file integrity checkers in two main categories: passive and active monitoring. Applications like your distro's package management verification functionality (if any), Aide, Integrit, Osiris, Sentinel, Viper, Tripwire (and on w32 stuff like Floke Integrity, the w32 resource kits Sysdiff, Winalysis) and such are passive tools since you run them periodically, while Samhain and Nabou run autonomously and monitor continuously (and Samhain being favourable since it has an LKM component, uses signed databases, detects tampering with itself etc, etc). (There's also other applications you can use: Monit for instance runs continuously and can check MD5 sums too, but of course it's not a *integrity* verification tool.)
I run Aide since it's easy configurable, it's actively supported and maintained and I don't need continuous monitoring. If I did have that requirement I would test if I could get away running it with Webjob or it's add-on (can't remember the name right now) that allows it to do one-to-many and else definately run Samhain since it has the most complete set of features you could ask for and it's actively supported and maintained.
I haven't run any commercial file integrity checkers on Wintendo (only Floke Integrity which is FOSS) and I would say this isn't the forum to ask (since not a *GNU/Linux* security-related question) so I won't expand on it except to say that I have no idea if Samhain would be the most effective tool for the job (differences in platform, threats and detection methods), but if you're bent on running Samhain on w32 you could check if you can compile it with the smallest possible set of checks you require so that it uses less of Cygwin: some tools just need one DLL, like for instance the SSH for Windows package.
Last edited by unSpawn; 01-02-2007 at 03:51 AM.
|