HIDS software runs locally on every server to detect alien (or unwelcome) changes in the functionality of local configuration files or services. HIDS software is divided into system integrity verifiers (SIV), log file monitors (LFM), and operating system patches (OS extenders), which add functionality to the set of OS functions. (The HIDS discussed in this article are completely OS-dependent, and most of them are written for Linux.)
The AIDE (Advanced Intrusion Detection Environment) utility, an open source alternative to Tripwire, is typical SIV software that monitors file system changes. It uses checksum technology and directory structure dumps to check whether data has changed. It also checks the size and attribute settings of files, generates a database, and using regular expressions, determines which files get added to the database. You can then use the database to check the integrity of files on the server by employing any one of several message digest algorithms to ensure that the files have not been altered.
The sXid program is an all-in-one suid/sgid bit monitor designed to run from cron on a regular basis. Using the suid/sgid bit attributes on the executable files, the local user (intruder) can gain privileged priorities, which is very dangerous. Basically, sXid tracks any changes in your suid/sgid bit files and folders. If it detects any new ones—ones that aren't set any more or that have changed bits or other modes—it reports the changes in an easy-to-read format via e-mail or on the command line.
Chrootkit is a shell script that checks system binaries for rootkit modification. It looks for known "signatures" in "Trojaned" system binaries. It knows more than 50 Trojan programs (rootkit) and runs on numerous platforms.
As a rule, all operating systems already include some tools for basic IDS monitoring. Among them are different scripts and executable programs, which are designed to run regularly (from the cron). For example, the FreeBSD operating system has special security scripts (/etc/periodic/daily/450.status-security and others) that run daily.
You can easily make such scripts yourself using different programs for getting file checksums (md5). You also can easily perform suid/sgid bit monitoring using the internal program find. This is an example of how you can get the file checksum from the Unix shell:
MD5 (postfix-delete.sh) = 9ed41add22f840c3311dd30b4f045d6b
The following output results from a command that gives you a list of files with the suid and sgid bit set:
white@dragon:/etc>find /usr/bin -perm -6000 -print -ls
8280 272 -r-sr-sr-x 1 uucp dialer 123888 Jul 23 2001 /usr/bin/cu
7943 190 -r-sr-sr-x 1 uucp dialer 96752 Jul 23 2001 /usr/bin/uustat
8250 46 -r-sr-sr-x 1 root daemon 22728 Jul 23 2001 /usr/bin/lpq
8251 52 -r-sr-sr-x 1 root daemon 26216 Jul 23 2001 /usr/bin/lpr
8252 44 -r-sr-sr-x 1 root daemon 21676 Jul 23 2001 /usr/bin/lprm
Logcheck is typical LFM software that helps spot problems and security violations in your log files automatically and sends the results to you via e-mail. Many SIV HIDS already include their own versions of log-checking software as well.
Logsurfer is a log checking and auditing tool similar to logcheck, but with the added capability to handle multi-line messages and dynamically adapt the rule set. Written in portable C, logsurfer is well documented, fast, and flexible. It works on any plain-text file or standard input, can run at intervals or continuously, and has timeouts and resource limits.
Swatch (Simple Watch Daemon) is a program for UNIX system logging. Originally written in Perl, it actively monitors messages as they are written to a log file via the UNIX syslog utility. Swatch was designed to keep system administrators from being overwhelmed by large quantities of log data. It monitors log files, filters out unwanted data, and takes one or more simple user-specified actions based upon patterns in the log. Swatch can monitor information as it is being appended to the log file and alert system administrators immediately to serious system problems as they occur.
Operating System Patches
LIDS (Linux Intrusion Detection System) is a complex collection of patches for the Linux kernel and utilities, which increase the operating system's security level by reducing the possibility of an intruder gaining privileged rights in the system. It also includes support for Mandatory Access Control (MAC), a system that enables port scan detection and file and processes protection. As a result of implementing these software patches, even the super-user privilege (and its processes) will be limited to previously implemented rule sets. As such, you should be very precise in your installation and enablement of these patches.
OpenWall is one of the most popular Linux patches. This cluster of patches is a collection of security-related features for the Linux kernel, all configurable via the new Security options configuration section. In addition to new features, some versions of OpenWall contain various security fixes.
Its patches also are part of the Owl (Openwall GNU/*/Linux), a security-enhanced operating system with Linux and GNU software as its core, making OpenWall compatible with other major distributions of the GNU/*/Linux server platform.
SELinux (Security-enhanced Linux) is a U.S. National Security Agency project. The system's security mechanisms provide flexible support for a wide range of security policies. They enable you to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. SELinux is known as an effective solution for protecting against even unknown attacks.
The MAC Framework is one of two significant new security mechanisms introduced in the fifth edition of the FreeBSD operating system (from the TrustedBSD project). File system Access Control Lists (ACL) is the other. MAC loads new access control modules, which implements new security policies. Some provide protections to a narrow subset of the system, hardening a particular service, while others provide comprehensive labeled security across all subjects and objects. The MAC Framework is very similar to the SELinux project.
Grsecurity, a Linux-based project licensed under the GPL, is an innovative approach to security that utilizes a multi-layered detection, prevention, and containment model. It also is a set of patches for the Linux kernel and its utilities. Its most interesting features are role-based access control (RBAC), chroot restrictions, address space modification protection, and different auditing features.