Re: HIDS e file integrity for Windows

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Aprile 2002 ml@sikurezza.org
Soggetto: Re: HIDS e file integrity for Windows
Mittente: Fabio Pietrosanti (naif)
Data: 22 Apr 2002 11:35:25 -0000

On Fri, Apr 19, 2002 at 10:14:30AM +0200, Federico Lombardo wrote:
> Salve ragazzi, volevo sapere chi ? cos? gentile da consigliarmi un Host
> intrusion Detection System per windows, naturalmente l'opzione che mi
> interessa di pi? ? l'inegrit? del file, ma soprattutto il controllo sugli
> accessi a files.

Penso che la soluzione "definitiva" per questo tipo di problemi sia "samhain" .

http://la-samhna.de/samhain/

samhain is an open source file integrity and host-based intrusion detection
system for Linux and Unix. It can run as a daemon process, and thus can remember
file changes - contrary to a tool that runs from cron, if a file is modified you
will get only one report, while subsequent checks of that file will ignore the
modification as it is already reported (unless the file is modified again).

samhain can optionally be used as client/server system to provide centralized
monitoring for multiple hosts. Logging to a (MySQL or PostgreSQL) database is supported.

Features

* Complete integrity check
+ uses cryptographic checksums of files to detect modifications,
+ can find rogue SUID executables anywhere on disk, and
+ can detect loadable kernel module rootkits (Linux only).
* Tamper resistance
+ database and configuration files can be signed
+ logfile entries and e-mail reports are signed
+ support for stealth operation
* Centralized monitoring
+ encrypted and authenticated client/server connections
+ checksum database(s) and client configuration stored on server
+ HTML status page for clients
+ unlimited number of clients
* Nice to have
+ optional monitoring of login/logout events
+ shell-style wildcards for file names in configuration file
+ multiple logging facilities
+ full documentation

Anche se come dice puo' avere qualche, a mio avviso minimale, problema di
security sotto Windows 2000, anche se non ho mai avuto modo di provarlo sotto
w2k .

samhain is reported to build and run on Windows 2000 in the Cygwin environment
(Cygwin is a free POSIX emulation for Windows). However, please note
that Cygwin "uses shared memory areas to store information on Cygwin processes.
Because these areas are not protected in any way, in principle a malicious user
could modify them to cause unexpected behaviour in Cygwin processes" (from the Cygwin User Guide).

Facci sapere alla fine come hai risolto :)

Ciaps

Fabio Pietrosanti ( naif )
E-mail: naif@sikurezza.org - naif@blackhats.it
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
"Hacking is the future of security research" R.Power, CSI
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Messaggi successivi:
- Re: HIDS e file integrity for Windows, Federico Lombardo

In risposta a:
- HIDS e file integrity for Windows, Federico Lombardo

Data:
- precedente: Re: cert-it WAS: Squid sicuro, Paolo Perego
- successivo: RE: Windows NT SAM file, Ajmar Adriano-AAA012
- indice

Argomento:
- precedente: RE: HIDS e file integrity for Windows, marco misitano
- successivo: Re: HIDS e file integrity for Windows, Federico Lombardo
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005