Clicky

From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.

asked 10/01/2011 12:24

coanda's gravatar image

coanda ♦♦


6 Answers:
Just add an IDS or in tripwire's case a File Integrity Monitor such as OSSEC (both ids and fim) or the AIDE is a Redhat project now but only FIM.
-rich
link

answered

richrumble's gravatar image

richrumble

Sorry, but that doesn't really answer the question. Are you suggesting that by adding FIM it will be aware of existing exploits to the system?

To be honest, I'm 99.9% certain that none of the systems have ever been compromised, but what can be done to make that 99.9999%? Are there any programs that I can run, eg. unhide/tiger/etc., to increase my confidence before adding an IDS?
link

answered 10/01/11 04:42 PM

coanda's gravatar image

coanda

Detecting tampering will be what FIM shd do really well. But one key security principle is to be secure by default where the baseline image shd already be hardened. Eg selinux provide the MAC which would prevent low hanging fruit to be exploited. There other as well - http://www.puschitz.com/SecuringLinux.shtml

also ideally we can adopt security as defense in depth meaning the unified layer in protecting your critical asset. In this case, your server to make sure availability. FIM can be complementing the hardened state, network security devices provide the perimeter monitoring, detection and prevention early. Minimally push the sensor out to imcrease situation awareness and defence at the strategic point of control. I will say it as push the kill chain up.

But we have to balance as well with operational req and not go excessive. Hence the risk mgmt to priortise the investment and effort. Importantly, it shd be a process and not a deploy and forget mentality.
link

answered 10/01/11 04:54 PM

breadtan's gravatar image

breadtan

Thanks, that's all useful information, but it doesn't really answer the original question. As I stated originally, I'm aware that the base system image should have an IDS/FIM installed right off the bat, but it wasn't, now I want to add it. What should I do now to add it correctly so that I can have a relatively high degree of certainty that the system is secure? Or does it even matter?
link

answered 10/03/11 07:40 PM

coanda's gravatar image

coanda

You may try to verify the rpm's
rpm -K * --nopgp (it's something like that)
But then again, how can you trust the rpm package now... it all depends on how far you want to go, a bootable LIVE cd could be used to verify the md5's of the files, but that requires you to take the boxes offline for a certain amount of time.
If it matters to you, it matters.
-rich
link

answered 10/07/11 10:50 AM

richrumble's gravatar image

richrumble

I hadn't thought to use a Live CD to verify the packages that are installed, that makes sense.

Thanks.
link

answered 10/07/11 11:19 AM

coanda's gravatar image

coanda

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×6
×1
×118
×2

Asked: 10/01/2011 12:24

Seen: 265 times

Last updated: 10/07/2011 01:07