Intrusion Detection Policy

WeNdeL · 05-14-2003, 03:13 PM

I am trying to put together an Intrusion Detection policy here at work. So far I have this general outline...

1. Check /etc/passwd and /etc/group files for root back-door
2. Use netstat and nmap to look at open ports. (this is of course utilizing tools that haven't seen the misfortune of a rootkit)
3. Run chkrootkit from http://www.chkrootkit.org
4. Check my tripwire database
5. Browse all crontabs including cron.daily, cron.weekly, cron.monthly, etc... for odd entries(I guess tripwire would see this?).

Know of anything that I could add? What do you use for Intrusion Detection?

apps? links?

Thanks as always!

iceman47 · 05-14-2003, 03:35 PM

-www.lids.org
-www.grsecurity.org

WeNdeL · 05-14-2003, 04:09 PM

sweet....

/me is looking at this now

unSpawn · 05-15-2003, 05:46 AM

This policy should be part of a greater framework. You should start with an overview of necessary policies for that site/company and focus on the details once the framework is set.

Luckily there's lotsa docs available to help you like
The SANS Security Policy Project, SECINF (excellent library) and Infosyssec (dunno how much is stale).

HTH.