9.2. Host-based IDS
A host-based IDS analyzes several areas to determine misuse (malicious or abusive activity inside the network) or intrusion (breaches from the outside). Host-based IDSes consult several types of log files (kernel, system, server, network, firewall, and more), and compare the logs against an internal database of common signatures for known attacks. UNIX and Linux host-based IDSes make heavy use of syslog and its ability to separate logged events by their severity (for example, minor printer messages versus major kernel warnings). The host-based IDS filters logs (which, in the case of some network and kernel event logs, can be quite verbose), analyze them, re-tag the anomalous messages with its own system of severity rating, and collect them in its own specialized log for administrator analysis.
Host-based IDSes can also verify the data integrity of important files and executables. It checks a database of sensitive files (and any files that you may want to add) and creates a checksum of each file with a message-file digest utility such as md5sum (128-bit algorithm) or sha1sum (160-bit algorithm). The host-based IDS then stores the sums in a plain text file, and periodically compares the file checksums against the values in the text file. If any of the file checksums do not match, the IDS will alert the administrator by email or cellular pager. This is the process used by Tripwire, which is discussed in Section 9.2.1 Tripwire.
9.2.1. Tripwire
Tripwire is the most popular host-based IDS for Linux. Tripwire, Inc., the developers of Tripwire, recently opened the software source code for the Linux version and licensed it under the terms of the GNU General Public License. Red Hat Linux includes Tripwire, which is available in RPM package format for easy installation and upgrade.
Detailed information on the installation and configuration of Tripwire can be found in the Red Hat Linux Reference Guide.
9.2.2. RPM as an IDS
The RPM Package Manager (RPM) is another program that can be used as a host-based IDS. RPM contains various options for querying packages and their contents. These verification options can be invaluable to an administrator who suspects that critical system files and executables have been modified.
The following list details some options for RPM that you can use to verify file integrity on your Red Hat Linux system. Refer to the Red Hat Linux Customization Guide for complete information about using RPM.
 | Important | |
|---|---|---|
Some of the commands in the list that follows requirethat you import the Red Hat GPG public key into your RPM keyring. This key verifies that packages installed on your system contain an Red Hat package signature, which ensures that your packages originated from Red Hat. The key can be imported with the following command (substituting <version> with the version of RPM installed on your system):
|
- rpm -V package_name
The -V option verifies the files in the installed package called package_name. If it shows no output and exits, this means that all of the files have not been modified in anyway since the last time the RPM database was updated. If there is an error, such as
S.5....T c /bin/ps
then the file has been modified in some way and you need to assess whether to keep the file (such is the case with modified configuration files in /etc) or delete the file and reinstall the package that contains it. The following list defines the elements of the 8-character string (S.5....T in the above example) that notifies of a verification failure.
. — The test has passed this phase of verification
? — The test has found a file that could not be read, which is most likely a file permission issue
S — The test has encountered a file that that is smaller or larger than it was when originally installed on the system
5 — The test has found a file whose md5 checksum does not match the original checksum of the file when first installed
M — The test has detected a file permission or file type error on the file
D — The test has encountered a device file mismatch in major/minor number
L — The test has found a symbolic link that has been changed to another file path
U — The test has found a file that had its user ownership changed
G — The test has found a file that had its group ownership changed
T — The test has encountered mtime verification errors on the file
- rpm -Va
The -Va option verifies all installed packages and finds any failure in its verification tests (much like the -V option, but more verbose in its output since it is verifying every installed package).
- rpm -Vf /bin/ls
The -Vf option verifies individual files in an installed package. This can be useful if you wish to perform a quick verification of a suspect file.
- rpm -K application-1.0.i386.rpm
The -K option is useful for checking the md5 checksum and the GPG signature of an RPM package file. This is useful for checking whether a package you want to install is signed by Red Hat or any organization for which you have the GPG public key imported into your GPG keyring. A package that has not been properly signed will emit an error message similar to the following:
application-1.0.i386.rpm (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#897da07a)
Exercise caution when installing packages that are unsigned as they are not approved by Red Hat, Inc. and could contain malicious code.
RPM can be a powerful tool, as evidenced by its many verification tools for installed packages and RPM package files. It is strongly recommended that you backup the contents of your RPM database directory (/var/lib/rpm/) to read-only media, such as CD-ROM, after you install Red Hat Linux. Doing so allows you to safely verify files and packages against the read-only database, rather than against the database on the system, as malicious users may corrupt the database and skew your results.
9.2.3. Other Host-based IDSes
The following list discusses some of the other popular host-based intrusion detection systems available. Refer to the websites of the respective utilities for more information about installing and configuring them in your environment.
 | Note |
|---|---|
These applications are not included with Red Hat Linux and are not supported. They have been included in this document as a reference to users who may be interested in evaluating such applications. |
SWATCH http://www.stanford.edu/~atkins/swatch/ — The Simple WATCHer (SWATCH) uses log files generated by syslog to alert administrators of anomalies based on user configuration files. SWATCH was designed to log any event that the user wants to add into the configuration file; however, it has been adopted widely as a host-based IDS.
LIDS http://www.lids.org — The Linux Intrusion Detection System (LIDS) is a kernel patch and administration tool that can also control file modification with access control lists (ACLs) and protect processes and files, even from the root user.