Proposed role: debops.ids
tobijb opened this issue · 1 comments
tobijb commented
Provide default intrusion detection systems like debops.ossec + debops.audit? Leverage ELK stack for audit views and ossec for notifications (email + script)?
Should:
- Audit user logins
- Audit known activities (DDOS, Synflood, Auth attempts)
- Audit custom activities (Watch this file in /opt/secret for changes)
- Notify for known activities (MD5 change of core lib or executable)
- Notify for custom activities (if desired)
...
e-alfred commented
Graylog could be used instead of the ELK stack, but this role would be great.