intrusion detection/prevention

[bogstad-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org (Bill Bogstad)]

On Tue, Jun 30, 2009 at 4:36 PM, Dan Ritter<dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org> wrote:
> On Tue, Jun 30, 2009 at 04:02:51PM -0400, Tom Metro wrote:
>> ref wrote:
>> > TRipwire annoyed me as it emailed me masses of stuff
>> > everyday about what had NOT changed.
>...
>> Note that although these file system change detection tools are often
>> promoted as intrusion detection tools, they're actually more beneficial
>> for routine system administration by providing a record of what system
>> files changed when. This can be useful if system behavior changes and
>> you want to track down when a config was modified or when some upgrade
>> changed a shared library.
>
> Though there are three better tools:
>
> - keep your configurations in a version control system
> - and/or keep snapshots of your configurations (or whole
> ?filesystems)
> - look in your OS package installation log (/var/log/dpkg, for
> ?instance)

There are better tools, but that's in some sense irrelevant.  We don't
have file permissions and
memory protection to just protect against malicious action.  It more
often prevents mistakes/errors
from getting out of hand.  Sysadmins are human and will sometimes make
mistakes, not follow procedures, etc.  The methods you suggest are
great, but file modification checking can still be a good backstop
against human error.  It is also possible for tools (particularly
software installers) to make undocumented changes to unexpected files.
 Tripwire/AIDE/etc. will let you discover this quickly.

Bill Bogstad