[09:35] <LarsErikP> coreycb: ref https://bugs.launchpad.net/cloud-archive/+bug/1866361 am I doing something wrong? I fail to find 0.27.0 in stein-proposed..
[11:59] <coreycb> LarsErikP: thanks for letting me know. there was a build issue. I'm retrying now.
[12:00] <LarsErikP> coreycb: \o/
[14:13] <LarsErikP> coreycb: tested now. it works :)
[14:14] <coreycb> LarsErikP: great, thanks. we'll get regression testing done soon on our end. can you update the bug to mention it's fixed for you? fyi it needs to remain there for min 7 days before promotion
[14:15] <LarsErikP> coreycb: already done :)
[14:15] <coreycb> LarsErikP: thanks :)
[14:16] <LarsErikP> thanks for handling this so quickly, and being so helpful :) I really appreciate it!
[14:26] <halvors> I need a hids for my ubuntu servers, seems aide is pretty minimalistic as a hids, but maybe in combination with chkrootkit and another utility that looks at logs?
[14:26] <halvors> Any ideas on a utility for that?
[14:28] <sdeziel> halvors: there is auditd that you might want to look into
[14:28] <sdeziel> for log monitoring I use logcheck but be ready to write a lot of regexes to silence all the unimportant noise you'll get
[14:45] <halvors> sdeziel: thanks
[15:03] <halvors> auditd vs logcheck what is the difference between them?
[15:04] <sdeziel> they are very different, logcheck is going over your logs and removing the noise (what matches regexes of unimportant log entries)
[15:04] <sdeziel> logcheck then extract the "signal" which is everything that was not silenced by the regexes of unimportant stuff
[15:05] <sdeziel> that signal can be noisy because the base ruleset shipped by logcheck is not very up to date which is why you will need to write a lot of regexes to build a ruleset that matches your environment
[15:06] <sdeziel> once done, you'll get a good signal from logcheck
[15:06] <halvors> what does auditd do compared to logcheck then? is it not the same?
[15:07] <sdeziel> logcheck runs on reboots and every hours and send you an email with the important logs that happened since the last notification
[15:07] <sdeziel> auditd is like a blackbox recorder of a plane
[15:08] <sdeziel> it can be configured to record/log every syscal ran, their args, who ran them, etc
[15:08] <sdeziel> this allows you to track most actions taking place on your machine
[15:08] <halvors> i see, so auditd is more to investigate a breach?
[15:09] <sdeziel> you could use it for that or also to catch anomalies
[15:09] <sdeziel> (logcheck is also good to catch anomalies but only when they show up in logs it checks..)
[15:12] <halvors> sdeziel: thanks, i have another question as well, is there a good solution for active response rules, or is this a job for fail2ban?
[15:12] <halvors> Are there other solutions like fail2ban that is better?
[15:13] <sdeziel> halvors: suricata and snort can run in IPS mode where they typically inject firewall rules whenever a condition matches
[15:14] <halvors> sdeziel: On the host itself not the firewall?
[15:14] <sdeziel> halvors: the host itself has firewalling capabilities
[15:14] <halvors> yes
[15:15] <sdeziel> a bit like what fail2ban does
[15:15] <halvors> thanks :) fail2ban is more to make it harder to gain access in the first place?
[15:16] <sdeziel> halvors: fail2ban can protect many services, which one do you want to protect in your case?
[15:17] <halvors> sdeziel: it's basically a task assignment at school, they recommend ossec but i like to go more into detail and provide the same functionality by using more simple but multiplie tools that is easier to understand and maintain.
[15:20] <sdeziel> halvors: I've heard about ossec but know very little about it so I can't make recommendations on simpler alternatives :/
[15:20] <halvors> sdeziel: i see, ossec seems bloated to me (there is windows rule definitions on the linux version)
[15:52] <lordcirth> I have an LXC container which seems hung - lxc-ls and lxc-attach hang. No errors in dmesg. Any debugging tips?
[15:52] <lordcirth> 16.04 guest and host
[21:37] <halvors> How to exclude directories (and their subdirectories and files) from being include in aide scan?
[21:45] <sdeziel> halvors: IIRC, it was with a rule like that: !/path/to/my/dir
[22:18] <halvors> thx