intrusion detection on the zLinux Platform
Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? We have hit a road block in that Symantec does not support the mainframe Linux. Right now they want us to route our syslogs to a windows box or Blade server($$$) to capture any data, and we do not like it. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
On Thursday 17 September 2009 12:33, CHAPLIN, JAMES (CTR) wrote: Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? We have hit a road block in that Symantec does not support the mainframe Linux. Right now they want us to route our syslogs to a windows box or Blade server($$$) to capture any data, and we do not like it. I haven't tried this on zLinux because all our mainframes are far from the public, but I use DenyHosts on all my Linux boxes with an external IP address: http://sourceforge.net/projects/denyhosts/ It's in Python, so it will run on s390x. It's pretty simple-minded: just blocks hosts with too many SSH login failures. I don't know if it covers other sorts of intrusion attempts or not. What sort of intrusions are you trying to prevent? SSH? IMAP? Port scans? Everything? I haven't tried any of the following, but these packages might help: PortSentry: http://www.psionic.com/abacus/portsentry/ LogCheck: http://www.psionic.com/abacus/logcheck/ There's also LIDS (http://www.lids.org/), but that's a kernel modification and probably overkill. And if you want to find out what happened after you've been compromised, there's the venerable TripWire (http://www.tripwire.org/). - MacK. - Edmund R. MacKenty Software Architect Rocket Software 275 Grove Street · Newton, MA 02466-2272 · USA Tel: +1.617.614.4321 Email: m...@rs.com Web: www.rocketsoftware.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
CHAPLIN, JAMES (CTR) wrote: Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? We have hit a road block in that Symantec does not support the mainframe Linux. Right now they want us to route our syslogs to a windows box or Blade server($$$) to capture any data, and we do not like it. There is a world of open source security tools out there. Look at Snort. http://www.snort.org/ -- Jack J. Woehr# «'I know what it means well enough, when I find http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
There are several options. Drop me a note off list. Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? We have hit a road block in that Symantec does not support the mainframe Linux. Right now they want us to route our syslogs to a windows box or Blade server($$$) to capture any data, and we do not like it. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
Can I work on question 3 now? 8-) I've reworded my question and have reposted it to the listserve group. I'm even more curious now as to why it was added as an option (CLEAR_TDisk) to VM. No reply necessary, just sharing. Steve -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of David Boyes Sent: Thursday, September 17, 2009 1:30 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: intrusion detection on the zLinux Platform There are several options. Drop me a note off list. Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? We have hit a road block in that Symantec does not support the mainframe Linux. Right now they want us to route our syslogs to a windows box or Blade server($$$) to capture any data, and we do not like it. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
On 9/17/2009 at 12:33 PM, CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov wrote: Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? If you're running SLES, aide comes with the distribution. It's a Tripwire-like tool that will track modifications of files, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
Not sure if this is what you're looking for but try http://www.intellinx-sw.com/ On 9/17/2009 at 12:33 PM, CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov wrote: Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: intrusion detection on the zLinux Platform
There are some big difference. Centralized collection and administration. Separation of duties. Single product for the whole org. I emailed James offlist since we are pursuing the same product. But if you don't have those compliance requirements, then aide could work for you (although I spent a little time with it and couldn't get it to notice my changes - but that could have just been me :) Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Mark Post Sent: Thursday, September 17, 2009 1:45 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] intrusion detection on the zLinux Platform On 9/17/2009 at 12:33 PM, CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov wrote: Is there a host based intrusion detection agent like Symantec's CSP for the s390x platform? If you're running SLES, aide comes with the distribution. It's a Tripwire-like tool that will track modifications of files, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390