I apologize in advance if this is a little off thread, but it does pertain to Tivoli and Server Sensor...
One of the products we use for HIDS is Server Sensor. Recently, IBM has come in and told some people higher up the chain that the Tivoli product is an effective Host based IDS. I have not heard of this, and what I have researched so far does not give me "High-confidence." But, because of who IBM has said this too, we have to evaluate if it is true? I thought Tivoli was more of a Risk Management tool? (log consolidator; system health and monitoring, etc..) I can tell that it can monitor various different sources with the use of adapters, but not much on Tivoli itself being a HIDS??
My question is, this thread makes mention of both Tivoli and Server Sensor running on the same system, which would seem redundant if both are capable of HIDS. I personally would like to see us stay with server sensor in our environment...can anyone enlighten me on Tivoli used in the same capacity as server sensor? As far as I can tell, I would not recommend using Tivoli alone as an effective HIDS strategy?
Any thoughts/input is appreciated. Thanks All.
From: John Mullins [mailto:reiver2002@xxxxxxxxxxx]
Sent: Wednesday, January 28, 2004 11:50 PM
Subject: RE: [ISSForum] Tivoli introduced into RS
environment...overflowing console and db
>From: "Apers, Kim (ISS Brussels)" <KApers@xxxxxxx>
>You can also call Tivoli to finetune to reduce the number of logins.
>Yes, we can tune the signature with Fusion scripts to exclude the Tivoli
>account but what if someone is using then that Tivoli account to login ?
>Where is the due diligence (no audit trail)
>Why not ask if the agent can use a normal account ?.
The contol of Tivoli is not in my hands. The "policy" for the login account
used is global, meaning if they changed it just for me, it will affect 5000
servers that belong to someone else. Tivoli doesn't actually login with a
password, it just masquerades as the admin account when it kicks off some
processes. One half of it does not require an admin account. However, if
we change the account, then it affect all other servers as stated above.
The other half of the process the agent uses does require use of an admin
account, so it wouldn't help much to only change that. We'd still be
flooded. I'm working on a workaround at the moment. The due diligence
requirement is the problem with filtering that login entirely. I have to
have an audit trail. Considering that most of the logins are on localhost,
that is also a problem. If a user logs in with remote desktop software, it
appears as a localhost login as well. Tivoli came down as a mandate. I
don't have a choice and it is a "standard" and requires the "standard
install and configuration". I do not see how these two widely used programs
can be used together (with full auditing) in a large environment. I think
the multiple logins to kick off processes is pretty lame on IBM's part,
however I've always thought that non-existance of good event filters in the
policy of the Server/OS Sensor is just as lame. I do not understand why ISS
has not recognized this need by now, considering everyone I discuss this
with (as an possible product to use for IDS) also mentions the neglect of
Server Sensor policy filtering.
Let the new MSN Premium Internet Software make the most of your high-speed
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo