A host-based IDS analyzes several areas to determine misuse
(malicious or abusive activity inside the network) or intrusion
(breaches from the outside). Host-based IDSes consult several types
of log files (kernel, system, server, network, firewall, and more),
and compare the logs against an internal database of common
signatures for known attacks. UNIX and Linux host-based IDSes make
heavy use of syslog and its ability to
separate logged events by their severity (for example, minor
printer messages versus major kernel warnings). The syslog command is available when installing the
sysklogd package, which is included with
Red Hat Enterprise Linux. This package provides system logging and
kernel message trapping. The host-based IDS filters logs (which, in
the case of some network and kernel event logs, can be quite
verbose), analyzes them, re-tags the anomalous messages with its
own system of severity rating, and collects them in its own
specialized log for administrator analysis.
A host-based IDS can also verify the data integrity of important
files and executables. It checks a database of sensitive files (and
any files added by the administrator) and creates a checksum of each file with a message-file digest
utility such as md5sum (128-bit algorithm)
or sha1sum (160-bit algorithm). The
host-based IDS then stores the sums in a plain text file and
periodically compares the file checksums against the values in the
text file. If any of the file checksums do not match, the IDS
alerts the administrator by email or cellular pager. This is the
process used by Tripwire, which is discussed in Section 9.2.1
Tripwire.
Tripwire is the most popular host-based IDS for Linux. Tripwire,
Inc., the developers of Tripwire, opened the software source code
for the Linux version and licensed it under the terms of the GNU
General Public License. Tripwire is available from https://www.tripwire.org/.
 |
Note |
| |
Tripwire is not included with Red Hat Enterprise Linux and is
not supported. It has been included in this document as a reference
to users who may be interested in using this popular
application.
|
The RPM Package Manager (RPM) is another program that can be
used as a host-based IDS. RPM contains various options for querying
packages and their contents. These verification options can be
invaluable to an administrator who suspects that critical system
files and executables have been modified.
The following list details some RPM options that can verify file
integrity on a Red Hat Enterprise Linux system. Refer to the
Red Hat Enterprise Linux System Administration
Guide for complete information about using RPM.
 |
Important |
| |
Some of the commands in the following list require the
importation of the Red Hat GPG public key into the system's RPM
keyring. This key verifies that packages installed on the system
contain an Red Hat package signature, which ensures that the
packages originated from Red Hat. The key can be imported by
issuing the following command as root (substituting <version> with the version of RPM
installed on the system):
rpm --import /usr/share/doc/rpm-<version>/RPM-GPG-KEY
|
|
- rpm -V package_name
-
The -V option verifies the files in the
installed package called package_name. If it shows no output and
exits, this means that none of the files have been modified in any
way since the last time the RPM database was updated. If there is
an error, such as the following
then the file has been modified in some way and you must assess
whether to keep the file (such as with modified configuration files
in the /etc/ directory) or delete the
file and reinstall the package that contains it. The following list
defines the elements of the 8-character string (S.5....T in the above example) that
notifies of a verification failure.
-
. — The test has
passed this phase of verification
-
? — The test has found
a file that could not be read, which is most likely a file
permission issue
-
S — The test has
encountered a file that that is smaller or larger than it was when
originally installed on the system
-
5 — The test has found
a file whose md5 checksum does not match the original checksum of
the file when first installed
-
M — The test has
detected a file permission or file type error on the file
-
D — The test has
encountered a device file mismatch in major/minor number
-
L — The test has found
a symbolic link that has been changed to another file path
-
U — The test has found
a file that had its user ownership changed
-
G — The test has found
a file that had its group ownership changed
-
T — The test has
encountered mtime verification errors on
the file
- rpm -Va
-
The -Va option verifies all installed packages and finds any failure in its
verification tests (much like the -V
option, but more verbose in its output since it is verifying every
installed package).
- rpm -Vf /bin/ls
-
The -Vf option verifies individual
files in an installed package. This can be useful when performing a
quick verification of a suspect file.
- rpm -K application-1.0.i386.rpm
-
The -K option is useful for checking
the md5 checksum and the GPG signature of an RPM package file. This
is useful for checking whether a package about to be installed is
signed by Red Hat or any organization for which you have the GPG
public key imported into a GPG keyring. A package that has not been
properly signed triggers an error message similar to the
following:
application-1.0.i386.rpm (SHA1) DSA sha1 md5 (GPG) NOT OK
(MISSING KEYS: GPG#897da07a)
|
Exercise caution when installing packages that are unsigned as
they are not approved by Red Hat, Inc. and could contain malicious
code.
RPM can be a powerful tool, as evidenced by its many
verification tools for installed packages and RPM package files. It
is strongly recommended that the contents of the RPM database
directory (/var/lib/rpm/) be backed up to
read-only media, such as CD-ROM, after installation of Red Hat
Enterprise Linux. Doing so allows verification of files and
packages against the read-only database, rather than against the
database on the system, as malicious users may corrupt the database
and skew the results.
The following list discusses some of the other popular
host-based intrusion detection systems available. Refer to the
websites of the respective utilities for more information regarding
installation and configuration.
|
Note |
| |
These applications are not included with Red Hat Enterprise
Linux and are not supported. They have been included in this
document as a reference to users who may be interested in
evaluating such applications.
|
-
SWATCH https://sourceforge.net/projects/swatch/ — The
Simple WATCHer (SWATCH) uses log files generated by syslog to alert administrators of anomalies based on
user configuration files. SWATCH was designed to log any event that
the user wants to add into the configuration file; however, it has
been adopted widely as a host-based IDS.
-
LIDS https://www.lids.org/ — The Linux Intrusion
Detection System (LIDS) is a kernel patch and administration tool
that can also control file modification with access control lists
(ACLs), and protect processes and files, even from the root
user.
