Re: [Bastille-linux-discuss] Providing tiger integrated with Bast ille?
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Javier Fernandez-S. P. <jfe...@ge...> - 2001-12-21 09:22:00
|
BUCK,KEITH (HP-FtCollins,ex1) wrote: >Javi wrote: > >>IDS) since Tiger has proven to be quite portable (there are >>SunOS, Irix, >>AIX, and NeXT versions) I'm thinking of the HP-UX port here.... >> > >Tiger also runs on HP-UX, but it is quite outdated for some of the >things it tries to do (like check "up-to-date" checksums for system >binaries when Tiger itself hasn't been updated in a decade or so). >It still works for a lot of the functionality. > Well, the changes made to the Debian package for Debian GNU/Linux use the local system database for checksums, yes, this is worst than samhain, integrit, aide or tripwire... > > >As far as IDS goes, I would think that Bastille could recommend some good >IDS tools out there and potentially configure them for use. I also think >that the IDS tools we recommend should do it "all the way" like tripwire >with md5sums stored on read-only media rather than Tiger's md5sums which >are (1) static, (2) old, at least in the case of HP-UX, and (3) stored on >the same filesystem as the files which they are intended to protect. > Checking MD5sums is only part of what I expect a host-IDS to do. Tiger checks, even if a bit out of date for some issues are quite an interesting framework IMHO. That's why I have added new checks specific for Linux, it currently does: - check for "known" intrusion signs - check for invalid accounts - check program paths - check filesystem permissions - check exported filesystems - check cron entries - check suid/setgid binaries - check for Debian Security Advisories (see if the appropiate package versions are installed and out of date) [debianspecific] - check for open ports [linux specific] - check for installed files not in a given package [debian specific] - check file mdsums from package database [debian specific] > > >Note that I liked Tiger when I tried it...it has fairly useful output >and is very thorough. I think the best way to integrate it with Bastille >is to run it on a fully Bastille'd system to see what Bastille missed >and consider those things as good features to include in the next rev. >If Tiger is GPL (I can't remember), then we should be able to use their >code as a starting point for the test suite...porting from sh to Perl isn't too hard. > Yes, it's GPL. > > >More than you wanted to know? > Enough, just wanted to throw out the question from the top of my head :) > > -Keith > |