Tech Tutorial: 332.2 Host Intrusion Detection #
Introduction #
Host Intrusion Detection Systems (HIDS) are essential tools for monitoring and analyzing system behavior and state, identifying unauthorized activities that can indicate a breach or other security incidents. In this tutorial, we will cover various utilities and methods that can be employed to implement a HIDS on a Linux system. We’ll focus on practical, hands-on examples to ensure you can apply these tools effectively.
Exam Objective: #
The objective is to understand, implement, and manage host-based intrusion detection systems.
Key Knowledge Areas: #
- Understanding of host intrusion detection principles
- Installation and configuration of AIDE
- Understanding of key features of intrusion detection systems such as log monitoring, file integrity checking, and real-time alerting
Utilities: #
- AIDE
- Auditd
- Syslog
Step-by-Step Guide #
1. AIDE (Advanced Intrusion Detection Environment) #
AIDE is a file and directory integrity checker, which helps in detecting unauthorized changes.
Installation: #
sudo apt-get update
sudo apt-get install aide
Configuration: #
Initialize the database before starting the monitoring.
sudo aideinit
This will create a snapshot of the current system state, which AIDE will use for comparison in future checks.
Running a Check: #
To check for changes, run:
sudo aide --check
This command compares the current state of the system to the snapshot stored in the database.
2. Auditd #
auditd
is the Linux Audit daemon, part of the Linux Auditing System, which can record system calls, file accesses, and other events.
Installation: #
sudo apt-get install auditd
Configuration: #
To monitor file access on /etc/passwd
, add a rule:
sudo auditctl -w /etc/passwd -p war -k password-file
-w
specifies the file to watch-p war
specifies to watch for write, append, and read access-k
sets a key name for easy identification in logs
Viewing Logs: #
To see the logs related to the password-file
:
sudo ausearch -k password-file
3. Syslog #
Syslog is a standard for message logging. It can be used to consolidate logs from different sources for analysis.
Configuration for Intrusion Detection: #
Configure /etc/rsyslog.conf
to forward logs to a central server:
*.* @192.168.1.100:514
This forwards all logs to the server at 192.168.1.100
on port 514
.
Checking Syslog Messages: #
To check syslog messages locally:
cat /var/log/syslog
Detailed Code Examples #
Enhanced AIDE Usage: #
Automate the checking process with a cron job:
echo "0 3 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab
This sets up a daily check at 03:00 AM.
Advanced Auditd Monitoring: #
Monitor all commands executed by the user alice
:
sudo auditctl -a always,exit -F arch=b64 -S execve -F auid=1001 -k alice-actions
execve
is the system call for executing a new program.auid=1001
should be replaced with Alice’s actual UID.
Syslog Remote Logging: #
Enhance security by limiting access to the syslog server:
*.* @@192.168.1.100:514
Using @@
ensures encrypted syslog messages are sent over TCP.
Conclusion #
In this tutorial, we have explored several key utilities (AIDE, Auditd, and Syslog) for implementing host intrusion detection systems on Linux. By following the examples and adjusting configurations as needed, you can strengthen the security posture of your Linux systems against unauthorized changes and potential breaches. Regular monitoring and updating of the detection rules are essential to maintaining an effective HIDS.