Host Based IDS Questions
 

Hi all,

I was wondering if people had experience with Linux HID's, and which ones they believed worked the best.

I was thinking about working on a HIDS for fun / resume boosting. It would be fairly basic and not rely on much network signatures. It would be solely reliant on determining whether or not a remote shell has been opened.

For example: you have a production web server with whom no users should be logging in to except for documented & scheduled maintenance. Any other access to the system at times other than this should always be considered malicious. Is it simple enough to just determine that whenever a shell is opened, that this signifies a user accessing the system?

The only other users that may be running would be Apache configured for /dev/null shell, and perhaps some type of DB (mysql or oracle) also configured with /dev/null (no login).

Is there an IDS like this that exists currently?
Where would I find the information of whenever an interactive shell is opened?
- I'm familiar with /var/log/secure for SSH & other logins, but is there a log / location that just determines when an interactive shell is opened?

Apologies if I am missing some key concepts here, only been in Linux for about a year now.

Any help / discussion is greatly appreciated.

Thanks!

As far as a HIDS goes, there are several to look at. Three come to mind immediately: Aide, Samhain, Ossec. I personally use Ossec. Pretty much for any of these, you could write custom rules, such as for a shell log in. For monitoring access and shell logins, logwatch will report this information on a daily basis as well as give you a snap-shot summary from the system logs. If you are looking for resume building stuff, look into Snort and learn to write custom rules for it.

...and in addition (I'm getting slow ;-p) to what was posted already:
To ask which item X (Linux distribution, Desktop Environment, Window Manager, text editor) is "the best" may be of limited value. Without providing the basis for comparison yourself it only invites everybody to post their opinion. Besides, there are a lot of host-based intrusion detection systems for Linux (AIDE, Samhain, OSSEC HIDS, Osiris, Fcheck, Afick, Integrit, Prelude, tripwire and even Monit and Rootkit Hunter can check hashes) but they're just a tool in your toolkit. They shouldn't be used as the only tool, they shouldn't be used without having first hardened the system properly and you should save a copy of the binary, configuration files and databases elsewhere.
As far as differences go I'll recycle some old posts: http://www.linuxquestions.org/questi...3/#post2567153, http://www.linuxquestions.org/questi...1/#post1146681 and for some perspective: http://www.linuxquestions.org/questi...6/#post3879831.
For me the combination of SELinux, Audit and Samhain cover most of my requirements.


That would be a NIDS not a HIDS?..


If you mean NIDS then the obvious first thing would be to check for Snort / Bro / Prelude rules that trigger on any shell string. If you mean HIDS then Samhain allows you to check processes and log files using regular expressions but the Audit service can easily log syscalls too. For instance a rule like 'auditcl -a always,exit -F path=/usr/bin/wget -F perm=x -F auid=48 -k HTTPD_problem' will alert you if UID 48 (may differ but for me it's the web server user) executes the 'wget' binary. From there it's simply using SEC or equivalent or Logwatch to generate reports or alerts.


Yeah, that would complete your "project" in one reply ;-p Distinctions of a shell being interactive or not aren't made that way as a shell is always anchored at the user who is allowed to log in or not (as in existence, shell, password, any access restrictions). Minimally, as far as init, getty's and login are concerned there's /var/run/utmp and /var/log/wtmp and on systems using PAM there's /var/log/secure (or wherever else Syslog is configured to log logins and violations to).