Hey all, A couple of weeks ago I did an initial deployment of an Intrusion Detection System in our infrastructure. It utilizes the prelude stack, and is currently powered by auditd and prelude-lml events. Audit gives us a ridiculous amount of power with regarding to monitoring everything that happens on a system. Prelude-lml, out of the box using it's pcre plugin, is able to watch a large variety of service logs, including many things we are running (asterisk, mod_security, nagios, cacti, PAM, postfix, sendmail, selinux, shadowutils, sshd, sudo). Prewikka is the web-based frontend (https://admin.fedoraproject.org/prewikka).
I created a new 'prelude' puppet module that contains the
configuration for audit, auditsp-plugins, libprelude,
prelude-manager, prewikka, prelude-correlator, and prelude-lml.
Turning a node/servergroup into a sensor entails adding the
following to your class definition: 'include prelude::sensor::audisp'
My initial deployment entailed setting up the prelude-manager
and correlator on a single box, and hooking up a single sensor
(bastion).
So, we're now at the point where we can fine tune our audit rules
before we further deploy this infrastructure.
Some things we want to consider:
- Creating specific security policies for each servergroup
- Define what files/directories/activities we want to monitor on
which machines.
- What events to we want to escalate ?
I opened an infrastructure ticket to track this deployment here:
https://fedorahosted.org/fedora-infrastructure/ticket/833
Suggestions, comments, and ideas are welcome.
Cheers,
luke
pgpvvOxYzWF8G.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
