LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices



Rate this Entry

Slackware-14.1-Intrusion Detection

Posted 06-22-2014 at 10:49 PM by arniekat

A very important part of Security is also the Integrity of your system and being able to detect when your system components have been maliciously compromised by a person or an organization. Some useful tools to think about for Integrity/Verification are Aide, Chkrootkit, Rkhunter, and Tiger security scripts. Lynis is more of a tool to check the security settings of your system, but I find it useful.

Download and compile the following from SlackBuilds.org and from Slacky.eu:

aide-0.15.1
chkrootkit-0.50
rkhunter-1.4.2
lynis-1.5.6
tiger-3.2.3

AIDE

http://www.cs.tut.fi/~rammer/aide/manual.html

Advanced Intrusion Detection Environment is a tool for monitoring file system changes. It can be used to detect unauthorized monitored files and directories. AIDE was written to be an alternative to Tripwire. I use /mnt/aide/ to store the database, but ideally you should store it some read-only media like a CD-ROM. Then you will be fairly certain that the database has not been modified.

Create the directory where the database will reside:

# mkdir /mnt/aide

Here are some of the things that can be checked by Aide:

p: permissions
ftype file type
i: inode
u: user
g: group
s: size
md5: md5 checksum
sha1: sha1 checksum
sha256: sha256 checksum
sha512: sha512 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
haval: haval checksum
crc32: crc32 checksum
R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
L: p+i+l+n+u+g+acl+selinux+xattrs
E: Empty group
gost: gost checksum (If compiled with mhash support)
whirlpool: whirlpool checksum (If compiled with mhash support)
acl: access control list (If enabled using configure)
xattr: extended file attributes (If enabled using configure)
!/var/log/.* (Ignore the log directory)

Here is the Slackware64-14.1 configuration file for Aide that I use:

# This file needs to created and saved as /etc/aide.conf
# with a permission of 0640
# For Slackware64-14.1
# Date: May 31, 2014
#=== /etc/aide.conf sample ===
database=file:/mnt/aide/aide.db
database_out=file:/mnt/aide/aide.db.new
gzip_dbout=yes

/boot/vmlinuz* p+i+u+g+s+sha256
/etc p+i+u+g+s+sha256
/bin p+i+u+g+s+sha256
/lib/modules p+i+u+g+s+sha256
/usr/lib p+i+u+g+s+sha256
/usr/lib64 p+i+u+g+s+sha256
/usr/libexec p+i+u+g+s+sha256
/usr/bin p+i+u+g+s+sha256
/sbin p+i+u+g+s+sha256
/usr/sbin p+i+u+g+s+sha256
!/var/log/.*
!/var/spool/.*

Now ,initialize the database.

# aide -i
AIDE, version 0.15.1
### AIDE database at /mnt/aide/aide.db.new initialized.

After you have initialized the database, you need to save it as something else, in this instance as:

# cp /mnt/aide/aide.db.new /mnt/aide/aide.db

The aide.db is the master file and aide.db.new is created whenever a check is performed. Now, run the check:

# aide -C
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!

CHKROOTKIT

Check Rootkit is a shell script that checks your system for known rootkits. After compiling and installing version 0.49, run chkrootkit:

# chkrootkit

RKHUNTER

Rootkit Hunter is another tool for scanning your system for rootkits and backdoors. The current version is rkhunter-1.4.2, which you can download and then just change the version number in the SlackBuild. The configuration file for rkhunter is:

/etc/rkhunter.conf

To run rkhunter:

# rkhunter -c

While it is running, you will have to hit <ENTER> several times to continue.

LYNIS

http://rootkit.nl/software/lynis/

Lynis is an auditing tool for Unix-based systems. It creates a security score for your system and gives some hardening recommendations. The current version of Lynis is lynis-1.5.6.tar.gz. You can get the SlackBuild and Slack-desc from:

http://repository.slacky.eu/slackwar...nis/1.2.6/src/

Here are the changes you will need to make to the SlackBuild:

VERSION=1.5.6

Remove the following line from the SlackBuild:

requiredbuilder -y -v -s $CWD $PKG

Save the SlackBuild, compile lynis and install the package.

To have lynis check your system:

# lynis -c

While it is running, you will have to hit <ENTER> several times to continue. You will get a Hardening Score after the script is through running. For comparison, on a stock Slackware64-14.0 install with the 3.2.29-huge Kernel, the score was 51. Slackware64-14.1 with the 3.11.8-grsec GrSecurity/PaX Kernel and some additional hardening suggestions from the script got a score of 73.

TIGER

Tiger Scripts are a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems.

Compile and the install tiger-3.2.3 from SlackBuilds.org. To run the check:

# tiger

Tiger can call on Aide to run, however, I prefer to run it manually, so I do not make changes to /etc/tiger/tigerrc. If you want tiger to run aide, then make the following changes:

# vi /etc/tiger/tigerrc

# If you want to run aide manually, ignore this section.
# Run Aide file integrity checker
Tiger_Run_AIDE=Y # Slow
# Verbose reporting (not implemented yet)
#Tiger_Run_AIDE_VERBOSE=1

Comment-out the following section if you do not want password parameters checked:

# What password aging/constraints to check for.
# A simple space delimited list.
#Tiger_Passwd_Constraints="PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE PASS_MIN_LEN"

Save the file and exit.
Posted in Uncategorized
Views 336 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 06:39 AM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration