Slackware-14.1-Intrusion Detection
Posted 06-22-2014 at 09:49 PM by arniekat
A very important part of Security is also the Integrity of your system and being able to detect when your system components have been maliciously compromised by a person or an organization. Some useful tools to think about for Integrity/Verification are Aide, Chkrootkit, Rkhunter, and Tiger security scripts. Lynis is more of a tool to check the security settings of your system, but I find it useful.
Download and compile the following from SlackBuilds.org and from Slacky.eu:
aide-0.15.1
chkrootkit-0.50
rkhunter-1.4.2
lynis-1.5.6
tiger-3.2.3
AIDE
http://www.cs.tut.fi/~rammer/aide/manual.html
Advanced Intrusion Detection Environment is a tool for monitoring file system changes. It can be used to detect unauthorized monitored files and directories. AIDE was written to be an alternative to Tripwire. I use /mnt/aide/ to store the database, but ideally you should store it some read-only media like a CD-ROM. Then you will be fairly certain that the database has not been modified.
Create the directory where the database will reside:
# mkdir /mnt/aide
Here are some of the things that can be checked by Aide:
p: permissions
ftype file type
i: inode
u: user
g: group
s: size
md5: md5 checksum
sha1: sha1 checksum
sha256: sha256 checksum
sha512: sha512 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
haval: haval checksum
crc32: crc32 checksum
R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
L: p+i+l+n+u+g+acl+selinux+xattrs
E: Empty group
gost: gost checksum (If compiled with mhash support)
whirlpool: whirlpool checksum (If compiled with mhash support)
acl: access control list (If enabled using configure)
xattr: extended file attributes (If enabled using configure)
!/var/log/.* (Ignore the log directory)
Here is the Slackware64-14.1 configuration file for Aide that I use:
# This file needs to created and saved as /etc/aide.conf
# with a permission of 0640
# For Slackware64-14.1
# Date: May 31, 2014
#=== /etc/aide.conf sample ===
database=file:/mnt/aide/aide.db
database_out=file:/mnt/aide/aide.db.new
gzip_dbout=yes
/boot/vmlinuz* p+i+u+g+s+sha256
/etc p+i+u+g+s+sha256
/bin p+i+u+g+s+sha256
/lib/modules p+i+u+g+s+sha256
/usr/lib p+i+u+g+s+sha256
/usr/lib64 p+i+u+g+s+sha256
/usr/libexec p+i+u+g+s+sha256
/usr/bin p+i+u+g+s+sha256
/sbin p+i+u+g+s+sha256
/usr/sbin p+i+u+g+s+sha256
!/var/log/.*
!/var/spool/.*
Now ,initialize the database.
# aide -i
AIDE, version 0.15.1
### AIDE database at /mnt/aide/aide.db.new initialized.
After you have initialized the database, you need to save it as something else, in this instance as:
# cp /mnt/aide/aide.db.new /mnt/aide/aide.db
The aide.db is the master file and aide.db.new is created whenever a check is performed. Now, run the check:
# aide -C
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
CHKROOTKIT
Check Rootkit is a shell script that checks your system for known rootkits. After compiling and installing version 0.49, run chkrootkit:
# chkrootkit
RKHUNTER
Rootkit Hunter is another tool for scanning your system for rootkits and backdoors. The current version is rkhunter-1.4.2, which you can download and then just change the version number in the SlackBuild. The configuration file for rkhunter is:
/etc/rkhunter.conf
To run rkhunter:
# rkhunter -c
While it is running, you will have to hit <ENTER> several times to continue.
LYNIS
http://rootkit.nl/software/lynis/
Lynis is an auditing tool for Unix-based systems. It creates a security score for your system and gives some hardening recommendations. The current version of Lynis is lynis-1.5.6.tar.gz. You can get the SlackBuild and Slack-desc from:
http://repository.slacky.eu/slackwar...nis/1.2.6/src/
Here are the changes you will need to make to the SlackBuild:
VERSION=1.5.6
Remove the following line from the SlackBuild:
requiredbuilder -y -v -s $CWD $PKG
Save the SlackBuild, compile lynis and install the package.
To have lynis check your system:
# lynis -c
While it is running, you will have to hit <ENTER> several times to continue. You will get a Hardening Score after the script is through running. For comparison, on a stock Slackware64-14.0 install with the 3.2.29-huge Kernel, the score was 51. Slackware64-14.1 with the 3.11.8-grsec GrSecurity/PaX Kernel and some additional hardening suggestions from the script got a score of 73.
TIGER
Tiger Scripts are a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems.
Compile and the install tiger-3.2.3 from SlackBuilds.org. To run the check:
# tiger
Tiger can call on Aide to run, however, I prefer to run it manually, so I do not make changes to /etc/tiger/tigerrc. If you want tiger to run aide, then make the following changes:
# vi /etc/tiger/tigerrc
# If you want to run aide manually, ignore this section.
# Run Aide file integrity checker
Tiger_Run_AIDE=Y # Slow
# Verbose reporting (not implemented yet)
#Tiger_Run_AIDE_VERBOSE=1
Comment-out the following section if you do not want password parameters checked:
# What password aging/constraints to check for.
# A simple space delimited list.
#Tiger_Passwd_Constraints="PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE PASS_MIN_LEN"
Save the file and exit.
Download and compile the following from SlackBuilds.org and from Slacky.eu:
aide-0.15.1
chkrootkit-0.50
rkhunter-1.4.2
lynis-1.5.6
tiger-3.2.3
AIDE
http://www.cs.tut.fi/~rammer/aide/manual.html
Advanced Intrusion Detection Environment is a tool for monitoring file system changes. It can be used to detect unauthorized monitored files and directories. AIDE was written to be an alternative to Tripwire. I use /mnt/aide/ to store the database, but ideally you should store it some read-only media like a CD-ROM. Then you will be fairly certain that the database has not been modified.
Create the directory where the database will reside:
# mkdir /mnt/aide
Here are some of the things that can be checked by Aide:
p: permissions
ftype file type
i: inode
u: user
g: group
s: size
md5: md5 checksum
sha1: sha1 checksum
sha256: sha256 checksum
sha512: sha512 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
haval: haval checksum
crc32: crc32 checksum
R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
L: p+i+l+n+u+g+acl+selinux+xattrs
E: Empty group
gost: gost checksum (If compiled with mhash support)
whirlpool: whirlpool checksum (If compiled with mhash support)
acl: access control list (If enabled using configure)
xattr: extended file attributes (If enabled using configure)
!/var/log/.* (Ignore the log directory)
Here is the Slackware64-14.1 configuration file for Aide that I use:
# This file needs to created and saved as /etc/aide.conf
# with a permission of 0640
# For Slackware64-14.1
# Date: May 31, 2014
#=== /etc/aide.conf sample ===
database=file:/mnt/aide/aide.db
database_out=file:/mnt/aide/aide.db.new
gzip_dbout=yes
/boot/vmlinuz* p+i+u+g+s+sha256
/etc p+i+u+g+s+sha256
/bin p+i+u+g+s+sha256
/lib/modules p+i+u+g+s+sha256
/usr/lib p+i+u+g+s+sha256
/usr/lib64 p+i+u+g+s+sha256
/usr/libexec p+i+u+g+s+sha256
/usr/bin p+i+u+g+s+sha256
/sbin p+i+u+g+s+sha256
/usr/sbin p+i+u+g+s+sha256
!/var/log/.*
!/var/spool/.*
Now ,initialize the database.
# aide -i
AIDE, version 0.15.1
### AIDE database at /mnt/aide/aide.db.new initialized.
After you have initialized the database, you need to save it as something else, in this instance as:
# cp /mnt/aide/aide.db.new /mnt/aide/aide.db
The aide.db is the master file and aide.db.new is created whenever a check is performed. Now, run the check:
# aide -C
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
CHKROOTKIT
Check Rootkit is a shell script that checks your system for known rootkits. After compiling and installing version 0.49, run chkrootkit:
# chkrootkit
RKHUNTER
Rootkit Hunter is another tool for scanning your system for rootkits and backdoors. The current version is rkhunter-1.4.2, which you can download and then just change the version number in the SlackBuild. The configuration file for rkhunter is:
/etc/rkhunter.conf
To run rkhunter:
# rkhunter -c
While it is running, you will have to hit <ENTER> several times to continue.
LYNIS
http://rootkit.nl/software/lynis/
Lynis is an auditing tool for Unix-based systems. It creates a security score for your system and gives some hardening recommendations. The current version of Lynis is lynis-1.5.6.tar.gz. You can get the SlackBuild and Slack-desc from:
http://repository.slacky.eu/slackwar...nis/1.2.6/src/
Here are the changes you will need to make to the SlackBuild:
VERSION=1.5.6
Remove the following line from the SlackBuild:
requiredbuilder -y -v -s $CWD $PKG
Save the SlackBuild, compile lynis and install the package.
To have lynis check your system:
# lynis -c
While it is running, you will have to hit <ENTER> several times to continue. You will get a Hardening Score after the script is through running. For comparison, on a stock Slackware64-14.0 install with the 3.2.29-huge Kernel, the score was 51. Slackware64-14.1 with the 3.11.8-grsec GrSecurity/PaX Kernel and some additional hardening suggestions from the script got a score of 73.
TIGER
Tiger Scripts are a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems.
Compile and the install tiger-3.2.3 from SlackBuilds.org. To run the check:
# tiger
Tiger can call on Aide to run, however, I prefer to run it manually, so I do not make changes to /etc/tiger/tigerrc. If you want tiger to run aide, then make the following changes:
# vi /etc/tiger/tigerrc
# If you want to run aide manually, ignore this section.
# Run Aide file integrity checker
Tiger_Run_AIDE=Y # Slow
# Verbose reporting (not implemented yet)
#Tiger_Run_AIDE_VERBOSE=1
Comment-out the following section if you do not want password parameters checked:
# What password aging/constraints to check for.
# A simple space delimited list.
#Tiger_Passwd_Constraints="PASS_MIN_DAYS PASS_MAX_DAYS PASS_WARN_AGE PASS_MIN_LEN"
Save the file and exit.
Total Comments 0