Differences
This shows you the differences between two versions of the page.
ids [2006/07/17 11:58] a some links |
ids [2009/05/25 00:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Intrusion detection systems ====== | ||
- | ===== AIDE ===== | ||
- | |||
- | FIXME | ||
- | |||
- | ===== Tripwire ===== | ||
- | |||
- | === links: === | ||
- | * [[http:// | ||
- | |||
- | ==== Basic configuration (debian way) ==== | ||
- | |||
- | Install tripwire with apt-get ('' | ||
- | |||
- | cd / | ||
- | / | ||
- | / | ||
- | # you'll get loads of "No such file" warnings... | ||
- | |||
- | Ok, we're fully installed now. So let's run our first check so we can tune the policy | ||
- | |||
- | / | ||
- | |||
- | |||
- | Now use this {{fixpol.pl|perl script (fixpol.pl)}} | ||
- | |||
- | chmod u+x fixpol.pl | ||
- | | ||
- | |||
- | **fixpol** prints what to do next near the end of its output in particular: | ||
- | |||
- | You should now run | ||
- | |||
- | diff twpol.txt twpol.txt.new | more | ||
- | |||
- | to make sure my changes aren't garbage. If it looks ok run | ||
- | |||
- | / | ||
- | / | ||
- | |||
- | to install the new policy in the database. | ||
- | |||
- | Now you're in a position to run | ||
- | |||
- | / | ||
- | |||
- | regularly in cron or whatever. | ||
- | |||
- | ===== Linux (misc) ===== | ||
- | |||
- | **Comprehensive intrusion detection** | ||
- | * tiger - Report system security vulnerabilities | ||
- | * tiger-otheros - Scripts to run Tiger in other operating systems | ||
- | |||
- | apt-get install tiger tiger-otheros | ||
- | |||
- | ==== chkrootkit ==== | ||
- | see also: **[[http:// | ||
- | |||
- | Either install the package that comes with your distribution (on Debian you would run) | ||
- | |||
- | apt-get install chkrootkit | ||
- | |||
- | or download the sources from www.chkrootkit.org and install manually: | ||
- | |||
- | wget --passive-ftp ftp:// | ||
- | tar xvfz chkrootkit.tar.gz | ||
- | cd chkrootkit-< | ||
- | make sense | ||
- | |||
- | Afterwards, you can move the chkrootkit directory somewhere else, e.g. ''/ | ||
- | |||
- | cd .. | ||
- | mv chkrootkit-< | ||
- | |||
- | Now you can run chkrootkit manually: | ||
- | |||
- | cd / | ||
- | ./ | ||
- | |||
- | (if you installed a chkrootkit package coming with your distribution, | ||
- | |||
- | You can even run chkrootkit by a cron job and get the results emailed to you: Run | ||
- | |||
- | crontab -e | ||
- | |||
- | to create a cron job like this: | ||
- | |||
- | 0 3 * * * (cd / | ||
- | |||
- | That would run chkrootkit every night a 3.00h. | ||
- | |||
- | ==== rkhunter | ||
- | |||
- | Download the latest rkhunter sources from www.rootkit.nl: | ||
- | |||
- | wget http:// | ||
- | tar xvfz rkhunter-1.2.7.tar.gz | ||
- | cd rkhunter/ | ||
- | ./ | ||
- | |||
- | This will install rkhunter to the directory ''/ | ||
- | |||
- | rkhunter --update | ||
- | |||
- | to download the latest chkrootkit/ | ||
- | |||
- | rkhunter -c | ||
- | |||
- | ==== MD5 sum checks ==== | ||
- | |||
- | * **debsums** - Verify installed package files against MD5 checksums //(Debian systems)// | ||
- | * **md5sum** | ||
- | |||
- | |||
- | Generate a checksum for the partition you wish to image, run from shell | ||
- | |||
- | # md5sum /dev/hdc2 > / | ||
- | |||
- | To make the copy of the disk(s), we'll use the dd command. From shell... | ||
- | |||
- | # dd if=/dev/hdc of=/ | ||
- | |||
- | You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn' |