====== Intrusion detection systems ====== ===== AIDE ===== FIXME ===== Tripwire ===== === links: === * [[http://openchemist.net/linux/howto.php?id=sec001|Tripwire (debian)]] ==== Basic configuration (debian way) ==== Install tripwire with apt-get (''apt-get install tripwire'') cd /etc/tripwire /usr/sbin/twadmin --create-polfile twpol.txt /usr/sbin/tripwire --init # Have patience, this will take a minute or so and # you'll get loads of "No such file" warnings... Ok, we're fully installed now. So let's run our first check so we can tune the policy /usr/sbin/tripwire --check > twout.txt # lots of warnings and patience gain... Now use this {{fixpol.pl|perl script (fixpol.pl)}} chmod u+x fixpol.pl ./fixpol.pl twout.txt twpol.txt | more # there's lots of output **fixpol** prints what to do next near the end of its output in particular: You should now run diff twpol.txt twpol.txt.new | more to make sure my changes aren't garbage. If it looks ok run /usr/sbin/twadmin --create-polfile twpol.txt.new /usr/sbin/tripwire --init to install the new policy in the database. Now you're in a position to run /usr/sbin/tripwire --check regularly in cron or whatever. ===== Linux (misc) ===== **Comprehensive intrusion detection** * tiger - Report system security vulnerabilities * tiger-otheros - Scripts to run Tiger in other operating systems apt-get install tiger tiger-otheros ==== chkrootkit ==== see also: **[[http://www.kanenas.net/comments.php?y=06&m=05&entry=entry060502-073518|How to scan your Linux-Distro for Root Kits]]** Either install the package that comes with your distribution (on Debian you would run) apt-get install chkrootkit or download the sources from www.chkrootkit.org and install manually: wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvfz chkrootkit.tar.gz cd chkrootkit-/ make sense Afterwards, you can move the chkrootkit directory somewhere else, e.g. ''/usr/local/chkrootkit'': cd .. mv chkrootkit-/ /usr/local/chkrootkit Now you can run chkrootkit manually: cd /usr/local/chkrootkit ./chkrootkit (if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else). You can even run chkrootkit by a cron job and get the results emailed to you: Run crontab -e to create a cron job like this: 0 3 * * * (cd /usr/local/chkrootkit-; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server" you@yourdomain.com) That would run chkrootkit every night a 3.00h. ==== rkhunter ==== Download the latest rkhunter sources from www.rootkit.nl: wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz tar xvfz rkhunter-1.2.7.tar.gz cd rkhunter/ ./installer.sh This will install rkhunter to the directory ''/usr/local/rkhunter''. Now run rkhunter --update to download the latest chkrootkit/trojan/worm signatures (you should do this regularly). Now you can scan your system for malware by running rkhunter -c ==== Lynis ==== download from [[http://www.rootkit.nl/projects/lynis.html|here]] # wget http://www.rootkit.nl/files/lynis-1.1.8.tar.gz # tar xvfz lynis-1.1.8.tar.gz # ./lynis --check-update # ./lynis -c ==== MD5 sum checks ==== * **debsums** - Verify installed package files against MD5 checksums //(Debian systems)// * **md5sum** Generate a checksum for the partition you wish to image, run from shell # md5sum /dev/hdc2 > /tmp/hdc2.md5 To make the copy of the disk(s), we'll use the dd command. From shell... # dd if=/dev/hdc of=/tmp/hdc.img You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc. Write it to another hard disk !