We have recently built Host Intrusion Detection System (HIDS) for our stake pool, and tuned up for the Guild Ops Cardano Node directory structure and monitoring.
Its based on OSSEC agents(Releases · ossec/ossec-hids · GitHub) reporting to an OSSEC server linking to prometheus and Grafana so you get a nice dashboard and UI for monitoring. A lot of you may already be running prometheus and Grafana as part of the Guild Ops build so will be familiar with these tools.
OSSEC is a very lightweight agent and can run integrity and root kit checks as well as parsing auth files, and monitoring directory changes. We are using the Linux agents but there are agents for Windows and Mac.
Let me know if there is interest and I will write up and share back here.
It’s a fairly lengthy process, and hopefully it’s accurate. If you find any errors, or anything isn’t clear please feedback so I can correct.
If there’s enough interest I will check in with the GuildOps crew and see if they want to script it and offer as part of their repo (we called it cnhids just in case).
It will be noisy for the first 24 hours then should settle down. You can easily drill into events by clicking the hyperlinks on the dashboard, and there are some nice inbuilt grafana features to view similar events and see stats. Play around and it’s pretty intuitive…
Update 10-02-2021: Discussing with Guild Ops to script and provide install as part of their stack. Hope to have something for testing in a week or so when we have time to focus on it.
Discussing integration with GuildOps. Designed as a drop in for the existing script setup_mon.sh.
Feedback welcome on GitHub if you find issues- we’ve done some testing on Ubuntu 20.04LTS but likely some rough edges still.
UPDATE 06-Mar-2021: We’ve done a lot more testing on the different deployment options. Better install logic, and most obvious bugs removed. Working well on 20.04LTS. All software versions at the latest levels. No critical or high vulnerabilities identified with Qualys scans.