332.2 Host Intrusion Detection (weight: 5)

Tech Tutorial: 332.2 Host Intrusion Detection #

Introduction #

Host Intrusion Detection Systems (HIDS) are essential tools for monitoring and analyzing system behavior and state, identifying unauthorized activities that can indicate a breach or other security incidents. In this tutorial, we will cover various utilities and methods that can be employed to implement a HIDS on a Linux system. We’ll focus on practical, hands-on examples to ensure you can apply these tools effectively.

Exam Objective: #

The objective is to understand, implement, and manage host-based intrusion detection systems.

Key Knowledge Areas: #

  • Understanding of host intrusion detection principles
  • Installation and configuration of AIDE
  • Understanding of key features of intrusion detection systems such as log monitoring, file integrity checking, and real-time alerting

Utilities: #

  • AIDE
  • Auditd
  • Syslog

Step-by-Step Guide #

1. AIDE (Advanced Intrusion Detection Environment) #

AIDE is a file and directory integrity checker, which helps in detecting unauthorized changes.

Installation: #

sudo apt-get update
sudo apt-get install aide

Configuration: #

Initialize the database before starting the monitoring.

sudo aideinit

This will create a snapshot of the current system state, which AIDE will use for comparison in future checks.

Running a Check: #

To check for changes, run:

sudo aide --check

This command compares the current state of the system to the snapshot stored in the database.

2. Auditd #

auditd is the Linux Audit daemon, part of the Linux Auditing System, which can record system calls, file accesses, and other events.

Installation: #

sudo apt-get install auditd

Configuration: #

To monitor file access on /etc/passwd, add a rule:

sudo auditctl -w /etc/passwd -p war -k password-file
  • -w specifies the file to watch
  • -p war specifies to watch for write, append, and read access
  • -k sets a key name for easy identification in logs

Viewing Logs: #

To see the logs related to the password-file:

sudo ausearch -k password-file

3. Syslog #

Syslog is a standard for message logging. It can be used to consolidate logs from different sources for analysis.

Configuration for Intrusion Detection: #

Configure /etc/rsyslog.conf to forward logs to a central server:

*.* @192.168.1.100:514

This forwards all logs to the server at 192.168.1.100 on port 514.

Checking Syslog Messages: #

To check syslog messages locally:

cat /var/log/syslog

Detailed Code Examples #

Enhanced AIDE Usage: #

Automate the checking process with a cron job:

echo "0 3 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab

This sets up a daily check at 03:00 AM.

Advanced Auditd Monitoring: #

Monitor all commands executed by the user alice:

sudo auditctl -a always,exit -F arch=b64 -S execve -F auid=1001 -k alice-actions
  • execve is the system call for executing a new program.
  • auid=1001 should be replaced with Alice’s actual UID.

Syslog Remote Logging: #

Enhance security by limiting access to the syslog server:

*.* @@192.168.1.100:514

Using @@ ensures encrypted syslog messages are sent over TCP.

Conclusion #

In this tutorial, we have explored several key utilities (AIDE, Auditd, and Syslog) for implementing host intrusion detection systems on Linux. By following the examples and adjusting configurations as needed, you can strengthen the security posture of your Linux systems against unauthorized changes and potential breaches. Regular monitoring and updating of the detection rules are essential to maintaining an effective HIDS.