90
Chapter 10. Intrusion Detection
event logs such as network and kernel, can be quite verbose), analyze them, re tag the anomalous
packets with its own system of warning and severity rating, and collect them in its own specialized
log for administrator analysis.
Host based IDSes can also verify data integrity of important files and executables. The IDS will check
a database of sensitive files (and any files that you may want to add) and creates a checksum of
each file with a message file digest utility such as
md5sum
(128 bit algorithm) or or
sha1sum
(160
bit algorithm). The IDS then stores the sums in a plain text file, and periodically compares the file
checksums against the values in the text file. If any of the files checksums do not match, then the IDS
will alert the administrator by email or pager. This is the process used by Tripwire, which is discussed
in Section 10.2.1.
10.2.1. Tripwire
Tripwire is the most popular host based IDS for Linux. Tripwire, Inc., the developers of Tripwire,
recently opened the software source code for the Linux version and licensed it under the terms of the
GNU General Public License. Red Hat Linux includes Tripwire, and is available in RPM package
format for easy installation and upgrade.
Detailed information on the installation and configuration of Tripwire can be found in the chapter
titled "Installing and Configuring Tripwire" in the Official Red Hat Linux Customization Guide. Refer
to that chapter for more information.
10.2.2. RPM as an IDS
The RPM Package Manager (RPM) is another program that can be used as a host based IDS. RPM
contains various options for querying packages and their contents. These verification options can
be invaluable to an administrator who suspects that critical system files and executables have been
modified.
The following list details some options for RPM that you can use to verify file integrity on your Red
Hat Linux system. Refer to the Official Red Hat Linux Customization Guide for complete information
about using RPM.
Important
Some of the commands in the list that follows requires that you import the official Red Hat GPG
public key into your RPM keyring. This key verifies that packages installed on your system contain an
official Red Hat package signature, which ensures that your packages originated from Red Hat. The
key can be imported with the following command (substituting
version
with the version of RPM
installed on your system):
rpm import /usr/share/doc/rpm version /RPM GPG KEY
rpm V package_name
This option will verify the files in the installed package called
package_name
. If it shows no
output and exits, this means that all of the files have not been modified in anyway since the last
time the RPM database was updated. If there is an error, such as
S.5....T c /bin/ps
then the file has been modified in some way and you need to assess whether to keep the file (such
is the case with modified configuration files in
/etc
) or delete the file and reinstall the package
that contains it.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved