Differences

This shows you the differences between two versions of the page.

--- ids [2006/07/17 11:58]
a some links
+++ ids [2009/05/25 00:35]
@@ Line 1: / Line 1: @@
-====== Intrusion detection systems ======
-===== AIDE =====
-FIXME
-===== Tripwire =====
-=== links: ===
-  * [[http://openchemist.net/linux/howto.php?id=sec001|Tripwire (debian)]]
-==== Basic configuration (debian way) ====
-Install tripwire with apt-get (''apt-get install tripwire'')
-  cd /etc/tripwire
-  /usr/sbin/twadmin --create-polfile twpol.txt
-  /usr/sbin/tripwire --init  # Have patience, this will take a minute or so and
-                             # you'll get loads of "No such file" warnings...
-Ok, we're fully installed now. So let's run our first check so we can tune the policy
-  /usr/sbin/tripwire --check > twout.txt # lots of warnings and patience  gain...
-Now use this {{fixpol.pl|perl script (fixpol.pl)}}
-   chmod u+x fixpol.pl
-   ./fixpol.pl twout.txt twpol.txt | more    # there's lots of output
-**fixpol** prints what to do next near the end of its output in particular:
-You should now run
-   diff twpol.txt twpol.txt.new | more
-to make sure my changes aren't garbage. If it looks ok run
-   /usr/sbin/twadmin --create-polfile twpol.txt.new
-   /usr/sbin/tripwire --init
-to install the new policy in the database.
-Now you're in a position to run
-   /usr/sbin/tripwire --check
-regularly in cron or whatever.
-===== Linux (misc) =====
-**Comprehensive intrusion detection**
-  * tiger - Report system security vulnerabilities
-  * tiger-otheros - Scripts to run Tiger in other operating systems
-  apt-get install tiger tiger-otheros
-==== chkrootkit ====
-see also: **[[http://www.kanenas.net/comments.php?y=06&m=05&entry=entry060502-073518|How to scan your Linux-Distro for Root Kits]]**
-Either install the package that comes with your distribution (on Debian you would run)
-  apt-get install chkrootkit
-or download the sources from www.chkrootkit.org and install manually:
-  wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
-  tar xvfz chkrootkit.tar.gz
-  cd chkrootkit-<version>/
-  make sense
-Afterwards, you can move the chkrootkit directory somewhere else, e.g. ''/usr/local/chkrootkit'':
-  cd ..
-  mv chkrootkit-<version>/ /usr/local/chkrootkit
-Now you can run chkrootkit manually:
-  cd /usr/local/chkrootkit
-  ./chkrootkit
-(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).
-You can even run chkrootkit by a cron job and get the results emailed to you: Run
-  crontab -e
-to create a cron job like this:
-3 * * * (cd /usr/local/chkrootkit-<version>; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server"  you@yourdomain.com)
-That would run chkrootkit every night a 3.00h.
-==== rkhunter  ====
-Download the latest rkhunter sources from www.rootkit.nl:
-  wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
-  tar xvfz rkhunter-1.2.7.tar.gz
-  cd rkhunter/
-  ./installer.sh
-This will install rkhunter to the directory ''/usr/local/rkhunter''. Now run
-  rkhunter --update
-to download the latest chkrootkit/trojan/worm signatures (you should do this regularly). Now you can scan your system for malware by running
-  rkhunter -c
-==== MD5 sum checks ====
-   * **debsums** - Verify installed package files against MD5 checksums //(Debian systems)//
-   * **md5sum**
-Generate a checksum for the partition you wish to image, run from shell
-  # md5sum /dev/hdc2 > /tmp/hdc2.md5
-To make the copy of the disk(s), we'll use the dd command. From shell...
-  # dd if=/dev/hdc of=/tmp/hdc.img
-You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc. Write it to another hard disk !