Host-based IDS
A host-based IDS analyzes several areas to
determine misuse (malicious or abusive activity
inside the network) or intrusion (breaches from the
outside). Host-based IDSes consult several types of log files (kernel,
system, server, network, firewall, and more), and compare the logs
against an internal database of common signatures for known
attacks. Unix and Linux host-based IDSes make heavy use of
syslog and its ability to separate logged events by
their severity and functionality (for example, printer error messages
versus kernel warnings). The IDS will filter logs (which, in the case
of some event logs such as network and kernel, can be quite verbose),
analyze them, re-tag the anomalous packets with its own system of
warning and severity rating, and collect them in its own
specialized log for administrator analysis.
Host-based IDSes can also verify data integrity of important files
and executables. The IDS will check a database of sensitive files (and
any files that you may want to add) and creates a
checksum of each file with a message-file
digest utility such as md5sum (128-bit algorithm)
or or sha1sum (160-bit algorithm). The IDS then
stores the sums in a plain text file, and periodically compares the
file checksums against the values in the text file. If any of the
files checksums do not match, then the IDS will alert the
administrator by email or pager. This is the process used by
Tripwire, which is discussed in the Section called Tripwire.
Tripwire
Tripwire is the most popular host-based
IDS for Linux. Tripwire, Inc., the developers of
Tripwire, recently opened the software
source code for the Linux version and licensed it under the terms of
the GNU General Public License. Red Hat Linux includes
Tripwire, and is available in RPM package
format for easy installation and upgrade.
Detailed information on the installation and configuration of
Tripwire can be found in the chapter titled
"Installing and Configuring Tripwire" in the
Official Red Hat Linux Customization Guide. Refer to that chapter for more
information.
RPM as an IDS
The RPM Package Manager (RPM) is another program that can be used as a
host-based IDS. RPM contains various options for querying packages and
their contents. These verification options can be invaluable to an
administrator who suspects that critical system files and executables
have been modified.
The following list details some options for RPM that you can use
to verify file integrity on your Red Hat Linux system. Refer to the
Official Red Hat Linux Customization Guide for complete information about using
RPM.
 | Important |
|---|
| | Some of the commands in the list that follows requires that you
import the official Red Hat GPG public key into your RPM keyring. This
key verifies that packages installed on your system contain an
official Red Hat package signature, which ensures that your packages
originated from Red Hat. The key can be imported with the following
command (substituting <version>
with the version of RPM installed on your system): rpm --import /usr/share/doc/rpm-<version>/RPM-GPG-KEY |
|
- rpm -V
package_name
This option will verify the files in the installed package
called
package_name. If
it shows no output and exits, this means that all of the files
have not been modified in anyway since the last time the RPM
database was updated. If there is an error, such as
then the file has been modified in some way and you need to
assess whether to keep the file (such is the case with modified
configuration files in /etc) or delete the
file and reinstall the package that contains it.
- rpm -Va
This command verifies all installed
packages and finds any failure in its verification tests (much
like the -V option, but more verbose in its
output since it is verifying every installed
package).
- rpm -Vf /bin/ls
This command verifies individual files in an installed
package. This can be useful if you wish to perform a quick
verification of a suspect file.
- rpm -K application-1.0.i386.rpm
This command is useful for checking the md5 checksum and the
GPG signature of an RPM package file. This is useful for checking
whether a package you want to install is signed by Red Hat or any
organization for which you have the GPG public key imported into
your GPG keyring. A package that has not been properly signed
will emit an error message similar to the following:
application-1.0.i386.rpm (SHA1) DSA sha1 md5 (GPG) NOT OK
(MISSING KEYS: GPG#897da07a) |
Exercise caution when installing packages that are unsigned
as they are unofficial and could contain malicious code
RPM can be a powerful tool, as evinced by its many verification
tools for installed packages and RPM package files. It is strongly
recommended that you backup the contents of your RPM database directory
(/var/lib/rpm/) to read-only media such as CD-ROM
after you install Red Hat Linux so that you can safely verify files and packages
against the read-only database, rather than against the database on the
system, as malicious users may corrupt the database and skew your
results.
Other Host-based IDSes
The following list discusses some of the other popular host-based
intrusion detection systems available. Refer to the websites of the
respective utilities for more information about installing and
configuring them in your environment.
 | Note |
|---|
| | These applications are not included with Red Hat Linux and are not
supported. They have been included in this document as a reference to
users who may be interested in evaluating such applications.
|
SWATCH http://www.oit.ucsb.edu/~eta/swatch/
— The Simple WATCHer (SWATCH) uses log files generated by
syslog to alert administrators of anomalies based
on user configuration files. SWATCH was designed to log any event
that the user wants to add into the configuration file; however, it
has been adopted widely as a host-based IDS.
LIDS http://www.lids.org — The
Linux Intrusion Detection System (LIDS) is a kernel patch and
administration tool that can also control file modification with
access control lists (ACLs) and protect processes and files, even
from the root user.
