Re: HIDS e file integrity for Windows

Sincermanete Samhain mi pare la soluzione migliore per tre motivi
principali:

+ modularità delle configurazioni
+ log nel database
+ multipiattaforma, multiOS

Infatti avendo sia *nix che win mi conviene usarlo, la verità è che non è
che mi fidi tanto dell'emulzione cygwin a livello proprio di stabilità.
Sotto *nix c'è daemontools... sotto win ?



----- Original Message -----
From: "Fabio Pietrosanti (naif)" <naif@sikurezza.org>
To: <ml@sikurezza.org>
Sent: Monday, April 22, 2002 12:04 PM
Subject: Re: HIDS e file integrity for Windows


> On Fri, Apr 19, 2002 at 10:14:30AM +0200, Federico Lombardo wrote:
> > Salve ragazzi, volevo sapere chi ? cos? gentile da consigliarmi un Host
> > intrusion Detection System per windows, naturalmente l'opzione che mi
> > interessa di pi? ?  l'inegrit? del file, ma soprattutto il controllo
sugli
> > accessi a files.
>
> Penso che la soluzione "definitiva" per questo tipo di problemi sia
"samhain" .
>
> http://la-samhna.de/samhain/
>
> samhain is an open source file integrity and host-based intrusion
detection
> system for Linux and Unix. It can run as a daemon process, and thus can
remember
> file changes - contrary to a tool that runs from cron, if a file is
modified you
> will get only one report, while subsequent checks of that file will ignore
the
> modification as it is already reported (unless the file is modified
again).
>
> samhain can optionally be used as client/server system to provide
centralized
> monitoring for multiple hosts. Logging to a (MySQL or PostgreSQL) database
is supported.
>
>
> Features
>
>      * Complete integrity check
>           + uses cryptographic checksums of files to detect modifications,
>           + can find rogue SUID executables anywhere on disk, and
>           + can detect loadable kernel module rootkits (Linux only).
>      * Tamper resistance
>           + database and configuration files can be signed
>           + logfile entries and e-mail reports are signed
>           + support for stealth operation
>      * Centralized monitoring
>           + encrypted and authenticated client/server connections
>           + checksum database(s) and client configuration stored on server
>           + HTML status page for clients
>           + unlimited number of clients
>      * Nice to have
>           + optional monitoring of login/logout events
>           + shell-style wildcards for file names in configuration file
>           + multiple logging facilities
>           + full documentation
>
>
> Anche se come dice puo' avere qualche, a mio avviso minimale, problema di
> security sotto Windows 2000, anche se non ho mai avuto modo di provarlo
sotto
> w2k .
>
> samhain is reported to build and run on Windows 2000 in the Cygwin
environment
> (Cygwin is a free POSIX emulation for Windows). However, please note
> that Cygwin "uses shared memory areas to store information on Cygwin
processes.
> Because these areas are not protected in any way, in principle a malicious
user
> could modify them to cause unexpected behaviour in Cygwin processes" (from
the Cygwin User Guide).
>
>
> Facci sapere alla fine come hai risolto :)
>
> Ciaps
>
> --
>
> Fabio Pietrosanti ( naif )
> E-mail: naif@sikurezza.org - naif@blackhats.it
> PGP Key (DSS) http://naif.itapac.net/naif.asc
> --
>  "Hacking is the future of security research" R.Power, CSI
> Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
>
> ________________________________________________________
> http://www.sikurezza.org - Italian Security Mailing List
>
>

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List