A program for monitoring the system changes.

Support for security such as Firewalls and securing linux
MartinR
Posts: 596
Joined: 2015/05/11 07:53:27
Location: UK

Re: A program for monitoring the system changes.

Post by MartinR » 2020/08/23 11:36:49

I wouldn't know, I've not run AIDE. Looking at the Wikipedia entry (https://en.wikipedia.org/wiki/Advanced_ ... nvironment) I wouldn't think so; AIDE runs as a privileged process whilst auditd is driven by part of the kernel. You would get log files reported as changed, but then you'd expect that. There might also be an issue since AIDE must scan all files and that could generate a lot of audit entries if filesystem auditing is enabled.

You must be selective with audit's configuration, otherwise you will need dedicated disks and tapes just to hold the audit trail.

hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Re: A program for monitoring the system changes.

Post by hack3rcon » 2020/08/23 16:22:33

MartinR wrote:
2020/08/23 11:36:49
I wouldn't know, I've not run AIDE. Looking at the Wikipedia entry (https://en.wikipedia.org/wiki/Advanced_ ... nvironment) I wouldn't think so; AIDE runs as a privileged process whilst auditd is driven by part of the kernel. You would get log files reported as changed, but then you'd expect that. There might also be an issue since AIDE must scan all files and that could generate a lot of audit entries if filesystem auditing is enabled.

You must be selective with audit's configuration, otherwise you will need dedicated disks and tapes just to hold the audit trail.
I asked it because I don't like to lost the performance.
What is your opinion? Disable Auditd and install AIDE?

MartinR
Posts: 596
Joined: 2015/05/11 07:53:27
Location: UK

Re: A program for monitoring the system changes.

Post by MartinR » 2020/08/23 21:56:17

To reiterate, I've not run AIDE, therefore I'm unlikely to recommend as you suggest. If you want to investigate auditd, start by reading https://access.redhat.com/documentation ... -hardening, you'll note that a number of models are mentioned. When I ran a medium sized cluster I used the CAPP model, but it doesn't seem to be supported by recent CentOSs. I use NISPOM at home, simply because I'm used to it.
  • Controlled Access Protection Profile (CAPP). This is the basic US level of security, equivalent to the old C2 "Orange Book" standard. It is appropriate with Discretionary Access Controls (DAC).
  • Labelled Security Protection Profile (LSPP). This is the enhanced US level of security, equivalent to the old B1 "Orange Book" standard. It is appropriate with Mandatory Access Controls (MAC).
  • Rule Set Base Access Control (RSBAC). This is an alternatice system to SELinux.
  • National Industrial Security Program Operating Manual (NISPOM). A US standard for companies working in the defence field.
  • Federal Information Security Management Act (FISMA). US government.
  • Payment Card Industry - Data Security Standard (PCI-DSS).
  • Security Technical Implementation Guides (STIG). A public methodology sponsored by the US government.
For my small home network I let daemon just write to /var/log/audit/audit.log and manage it through logrotate(8). With the cluster I had all the nodes sending the audit trail back to a couple of servers which stored it on a dedicated disk, which was then subsequently archived. It kept the security people off my back! A cron job generated a daily report which I read as part of my morning routine.

Frankly it all depends upon your needs. If you have a security department that need an audit trail then auditd makes sence. It was evaluated to EAL 4 for C5 and C6, I would hope it is as secure at C7 and C8. If all you have is a couple of machines that are no target for serious bad guys, go for something simpler.

Post Reply

Return to “CentOS 8 - Security Support”