PaulDotCom mailing list archives

HIDS advice?

From: dale at puredistortion.com (Dale Stirling)
Date: Fri, 21 Aug 2009 13:38:17 +1000

This is exactly what I am looking for.

I am able to at this time identify which script or process is using my
resources on my web hosting servers using GNU accounting and sa, but to be
able to see which user has educated what would be a huge help.

Could anyone point me to docs on how to do process logging via one of the
HIDS applications.

Dale.

On Thu, Aug 20, 2009 at 11:09 PM, Ron Gula <rgula at tenablesecurity.com>wrote:

Joe Magee wrote:

We've certainly seen it. Can be a bit noisy in a production *nix

environment. A lot of times we isolate this to say "PCI" systems or other
compliance targets...


With that said, it's also interesting seeing those backup jobs running as

root, or better yet seeing the backup jobs failing as root (ie not running.)
Then running a report that shows that happening every night for the past
month (doh!)


I miss Squire... :)

- Joe

P.S. Who's not a lurker!  (that'd be me..)


I've also heard folks say that this causes a performance hit. I think
the hit is really on your log server and disk drive.

I'm a fan of doing this sort of logging because after the fact, if
you really need to know what an admin or a hacker did, you have a lot
more to go on that just login/logout logs. I wish both Windows and
Unix platforms did more to log the arguments of the commands run.

Having said that, our approach with our Log Correlation Engine product
is to:

- summarize all unique commands and user accounts run on a daily basis
 which makes for a nice quick report.
- alert the first time when a new command is run during a given hour
 of the day.
- have all of the process/program accounting logs available with other
 logs in case you need to look that close at what happened.

A lot of folks tend to do this sort of auditing on their databases,
but I'd like to see more folks run this on their web app servers. It
won't help for someone who can steal/ex-filtrate data, but it can help
if someone is invoking a command through a web app flaw.

--
Ron Gula, CEO
Tenable Network Security


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090821/f918c5b0/attachment.htm

Current thread:

HIDS advice? lists at truthisfreedom.org.uk (Aug 17)
- HIDS advice? Erik Harrison (Aug 17)
- HIDS advice? Jason Wood (Aug 17)
- <Possible follow-ups>
- HIDS advice? Christopher Rimondi (Aug 18)
  - HIDS advice? Ron Gula (Aug 18)
    - HIDS advice? Joe Magee (Aug 19)
    - HIDS advice? Ron Gula (Aug 20)
    - HIDS advice? Dale Stirling (Aug 20)
    - HIDS advice? Mike Patterson (Aug 19)