HIDS advice?

[rgula at tenablesecurity.com (Ron Gula)]

Joe Magee wrote:
> We've certainly seen it. Can be a bit noisy in a production *nix environment. A lot of times we isolate this to say 
> "PCI" systems or other compliance targets... 
>
> With that said, it's also interesting seeing those backup jobs running as root, or better yet seeing the backup jobs 
> failing as root (ie not running.) Then running a report that shows that happening every night for the past month 
> (doh!)
>
> I miss Squire... :)
>
> - Joe
>
> P.S. Who's not a lurker!  (that'd be me..)

I've also heard folks say that this causes a performance hit. I think
the hit is really on your log server and disk drive.

I'm a fan of doing this sort of logging because after the fact, if
you really need to know what an admin or a hacker did, you have a lot
more to go on that just login/logout logs. I wish both Windows and
Unix platforms did more to log the arguments of the commands run.

Having said that, our approach with our Log Correlation Engine product
is to:

- summarize all unique commands and user accounts run on a daily basis
  which makes for a nice quick report.
- alert the first time when a new command is run during a given hour
  of the day.
- have all of the process/program accounting logs available with other
  logs in case you need to look that close at what happened.

A lot of folks tend to do this sort of auditing on their databases,
but I'd like to see more folks run this on their web app servers. It
won't help for someone who can steal/ex-filtrate data, but it can help
if someone is invoking a command through a web app flaw.

-- 
Ron Gula, CEO
Tenable Network Security