Hi,

we are currently reviewing our security procedures, including
firewall, IDS and file integrity checkers. For the first two, we are
already evaluating one or two solutions, but the last one is almost
unknown to us.

I've seen a few that are available (Tripwire, AIDE, Samhain,
Integrit). Does somebody have any experience with them to say which
one is better? Basically, what I need is something that can verify
about 60-80 different machines (mainly Sun, Linux, Alphas, but a few
others too), but from a centralized station.

If somebody knows about materials comparing such systems, it would
help too.

Tks a lot,

Roberto

[ Post a follow-up to this message ]

in comp.unix.admin i read:

>I've seen a few that are available (Tripwire, AIDE, Samhain,
>Integrit). Does somebody have any experience with them to say which
>one is better?

it's mostly a matter of taste, and perhaps ease of integration into your
(expected) model, though none of them should be too difficult.  very old
versions of tripwire cannot handle too many files at once, but this is not
too horrible a problem as multiple databases and passes can be used.

>Basically, what I need is something that can verify
>about 60-80 different machines (mainly Sun, Linux, Alphas, but a few
>others too), but from a centralized station.

all of the products you've mentioned have this ability.  but there are
issues:

it cannot be done with a high degree of certainty of successful results
(`file has not been changed') if the platform is at all suspect, and it
must be or you wouldn't be checking.  exploits quite often install a kernel
module or replacement programs which, in effect, lie about the content of
replaced files, so that programs that check them (via open, read & calculate
types of mechanisms) will be fooled into thinking them unchanged.  in order
to be certain you must boot the system from trusted media, without running
anything from an untrusted source, i.e., especially nothing from the system
to be inspected, then you can be certain even if such subterfuge exists it
won't influence the test results.

the good news is that failure results (`file has changed') can typically be
trusted, as generally speaking the only other cause for unexpected changes
is hardware failure, which is another event warranting a quick response.
take care to handle updates in a safe fashion (are they automated?),
otherwise your alarms might start going off needlessly and that begins the
`boy that cried wolf' problem (too many false alarms teach people to ignore
the alarms).

so you *can* test a system that is suspect, and you can even do so while it
continues in a production mode, just ignore the `all is well' results;
focus instead on any failure indications.  then plan periodic off-line
tests, and triggered (e.g., by ids clues re outgoing traffic) testing.

--
a signature

[ Post a follow-up to this message ]

On 09 Mar 2004 01:46:52 GMT, those who know me have no need of my name
<not-a-real-address@usa.net> wrote:

>in comp.unix.admin i read:
> 
>
>it's mostly a matter of taste, and perhaps ease of integration into your
>(expected) model, though none of them should be too difficult.  very old
>versions of tripwire cannot handle too many files at once, but this is not
>too horrible a problem as multiple databases and passes can be used.
> 
>
>all of the products you've mentioned have this ability.  but there are
>issues:
>
>it cannot be done with a high degree of certainty of successful results
>(`file has not been changed') if the platform is at all suspect, and it
>must be or you wouldn't be checking.  exploits quite often install a kernel
>.....
>focus instead on any failure indications.  then plan periodic off-line
>tests, and triggered (e.g., by ids clues re outgoing traffic) testing.

Hmm. Already helps.I'll then evaluate all four of them and see which
one seems to be better suited for what we need.

Tks.

[ Post a follow-up to this message ]

Roberto wrote:


> I've seen a few that are available (Tripwire, AIDE, Samhain,
> Integrit). Does somebody have any experience with them to say which
> one is better? Basically, what I need is something that can verify
> about 60-80 different machines (mainly Sun, Linux, Alphas, but a few
> others too), but from a centralized station.

Sounds like you need portability and centralized control.

Tripwire is the hands down favorite and usually first mentioned, but the
open source version is currently lagging in maintenance and was dropped
by Red Hat from their Advanced Server 3 release and from the Fedora
Core.  Others may be dropping Tripwire as well.  I believe that Tripwire
doesn't support a centralized operation either.

I recently examined Samhain, which supports the centralized model, as
well as the traditional host-only model.

AIDE I don't know too well; it is the most often "second choice"
mentioned and appears to be the first choice for a tripwire replacement.

However, in my estimation, Samhain is used most by large installations.
I'm currently seriously evaluating Samhain.

Realize, too, that Red Hat Advanced Server does not come with a
replacement for Tripwire.  I don't know which of these have Solaris
support, or support for whatever the Alphas are running.

Note that whatever database you create has to be protected; I recommend
off-host storage and a read-only copy on CDROM.

[ Post a follow-up to this message ]