Host Based IDS Questions
Hi all,
I was wondering if people had experience with Linux HID's, and which ones they believed worked the best. I was thinking about working on a HIDS for fun / resume boosting. It would be fairly basic and not rely on much network signatures. It would be solely reliant on determining whether or not a remote shell has been opened. For example: you have a production web server with whom no users should be logging in to except for documented & scheduled maintenance. Any other access to the system at times other than this should always be considered malicious. Is it simple enough to just determine that whenever a shell is opened, that this signifies a user accessing the system? The only other users that may be running would be Apache configured for /dev/null shell, and perhaps some type of DB (mysql or oracle) also configured with /dev/null (no login). Is there an IDS like this that exists currently? Where would I find the information of whenever an interactive shell is opened? - I'm familiar with /var/log/secure for SSH & other logins, but is there a log / location that just determines when an interactive shell is opened? Apologies if I am missing some key concepts here, only been in Linux for about a year now. Any help / discussion is greatly appreciated. Thanks! |
As far as a HIDS goes, there are several to look at. Three come to mind immediately: Aide, Samhain, Ossec. I personally use Ossec. Pretty much for any of these, you could write custom rules, such as for a shell log in. For monitoring access and shell logins, logwatch will report this information on a daily basis as well as give you a snap-shot summary from the system logs. If you are looking for resume building stuff, look into Snort and learn to write custom rules for it.
|
...and in addition (I'm getting slow ;-p) to what was posted already:
Quote:
As far as differences go I'll recycle some old posts: http://www.linuxquestions.org/questi...3/#post2567153, http://www.linuxquestions.org/questi...1/#post1146681 and for some perspective: http://www.linuxquestions.org/questi...6/#post3879831. For me the combination of SELinux, Audit and Samhain cover most of my requirements. Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 12:33 PM. |