PaulDotCom mailing list archives
HIDS advice?
From: dale at puredistortion.com (Dale Stirling)
Date: Fri, 21 Aug 2009 13:38:17 +1000
This is exactly what I am looking for. I am able to at this time identify which script or process is using my resources on my web hosting servers using GNU accounting and sa, but to be able to see which user has educated what would be a huge help. Could anyone point me to docs on how to do process logging via one of the HIDS applications. Dale. On Thu, Aug 20, 2009 at 11:09 PM, Ron Gula <rgula at tenablesecurity.com>wrote:
Joe Magee wrote:We've certainly seen it. Can be a bit noisy in a production *nixenvironment. A lot of times we isolate this to say "PCI" systems or other compliance targets...With that said, it's also interesting seeing those backup jobs running asroot, or better yet seeing the backup jobs failing as root (ie not running.) Then running a report that shows that happening every night for the past month (doh!)I miss Squire... :) - Joe P.S. Who's not a lurker! (that'd be me..)I've also heard folks say that this causes a performance hit. I think the hit is really on your log server and disk drive. I'm a fan of doing this sort of logging because after the fact, if you really need to know what an admin or a hacker did, you have a lot more to go on that just login/logout logs. I wish both Windows and Unix platforms did more to log the arguments of the commands run. Having said that, our approach with our Log Correlation Engine product is to: - summarize all unique commands and user accounts run on a daily basis which makes for a nice quick report. - alert the first time when a new command is run during a given hour of the day. - have all of the process/program accounting logs available with other logs in case you need to look that close at what happened. A lot of folks tend to do this sort of auditing on their databases, but I'd like to see more folks run this on their web app servers. It won't help for someone who can steal/ex-filtrate data, but it can help if someone is invoking a command through a web app flaw. -- Ron Gula, CEO Tenable Network Security _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090821/f918c5b0/attachment.htm
Current thread:
- HIDS advice? lists at truthisfreedom.org.uk (Aug 17)
- HIDS advice? Erik Harrison (Aug 17)
- HIDS advice? Jason Wood (Aug 17)
- <Possible follow-ups>
- HIDS advice? Christopher Rimondi (Aug 18)
- HIDS advice? Ron Gula (Aug 18)
- HIDS advice? Joe Magee (Aug 19)
- HIDS advice? Ron Gula (Aug 20)
- HIDS advice? Dale Stirling (Aug 20)
- HIDS advice? Ron Gula (Aug 18)
- HIDS advice? Mike Patterson (Aug 19)