LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-01-2007, 04:04 PM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
Samhain vs Osiris? Opinions welcome.


I am looking at host based intrusion detection systems and have concluded that Samhain and Osiris are ahead of the pack as they have central management features which are a big plus.

I need to monitor quite a lot of linux servers, and ideally a bunch of Windows servers too.

After quite a lot of googling I'm still no wiser, as both seem to have their trade offs. Only Osiris has a proper windows agent (samhain needs cygwin which I am reluctant to go round installing just for this). On the other hand osiris doesn't even sign it's config or baseline.


I'd like to know people's experiences; what have you used and which do you think is better?


Opinions welcome.

Last edited by humbletech99; 01-01-2007 at 04:06 PM.
 
Old 01-02-2007, 03:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Obviously (so apologies if this you know this all) HIDS like file integrity checkers rely on preventive measures, hardening and eyeballs. If you're designing this to run in a professional environment you should think about the need (think balance between cost and risk) for having a central loghost, a separate server to serve databases from and a separate management station. Next to that all relies on basic host and network hardening without any effort would be a waste of time (money). Finally (regardless of human intervention being necessary) adding a network-wide file integrity checker setup requires eyeballs. If nobody regularly checks for and reads alerts it would be a waste of time (money) too...


That said I divide (solely my opinion) file integrity checkers in two main categories: passive and active monitoring. Applications like your distro's package management verification functionality (if any), Aide, Integrit, Osiris, Sentinel, Viper, Tripwire (and on w32 stuff like Floke Integrity, the w32 resource kits Sysdiff, Winalysis) and such are passive tools since you run them periodically, while Samhain and Nabou run autonomously and monitor continuously (and Samhain being favourable since it has an LKM component, uses signed databases, detects tampering with itself etc, etc). (There's also other applications you can use: Monit for instance runs continuously and can check MD5 sums too, but of course it's not a *integrity* verification tool.)


I run Aide since it's easy configurable, it's actively supported and maintained and I don't need continuous monitoring. If I did have that requirement I would test if I could get away running it with Webjob or it's add-on (can't remember the name right now) that allows it to do one-to-many and else definately run Samhain since it has the most complete set of features you could ask for and it's actively supported and maintained.

I haven't run any commercial file integrity checkers on Wintendo (only Floke Integrity which is FOSS) and I would say this isn't the forum to ask (since not a *GNU/Linux* security-related question) so I won't expand on it except to say that I have no idea if Samhain would be the most effective tool for the job (differences in platform, threats and detection methods), but if you're bent on running Samhain on w32 you could check if you can compile it with the smallest possible set of checks you require so that it uses less of Cygwin: some tools just need one DLL, like for instance the SSH for Windows package.

Last edited by unSpawn; 01-02-2007 at 03:51 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Your opinions? oktober Linux - Laptop and Netbook 4 03-26-2005 05:44 PM
Looking for opinions... hp46168 Linux - Software 3 07-29-2004 02:40 PM
Opinions totally5150 Linux - General 7 06-27-2003 10:14 PM
Opinions?? Sadie Newlinux Linux - Newbie 2 04-25-2003 04:06 PM
Opinions on the best way to do this? cyberdiamond Linux - Software 11 11-15-2002 07:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration