[NTLUG:Discuss] Intrusion and Detection

[Steve]

Chris Cox wrote:

> Tripwire is ok (beware of licening on it though).  


I thought that Tripwire for Linux, by itself, was under the GPL.


> Basically the idea
> of doing checksums of critical system files is a good thing.


This is basically the last line of defense, and people should treat it 
as such. That means all critical Tripwire files used in benchmarking 
your existing files with the clean / baseline set must be on a 
non-writable medium (i.e., floppy, CD-R, etc.) Tripwire emails should be 
sent off the machine. The value of Tripwire drops sharply if people 
leave it all on the machine that is compromised.


> Unforntunately, anyone who is root on your system can do
> ANYTHING... including thwarting your tripwire or whatever
> IDS techniques you have in place.... remember ROOT can
> do ANYTHING.


Having an IDS with secured baseline files substantially raises the bar 
for the level of expertise needed to sneak by. Even if he hacked your 
kernel, you should still be able to load up your filesystem through 
another way (another machine, CD, etc.) and run off secure Tripwire files.


> So... first you may want to look at:
> http://www.linuxdoc.org/guides.html  (look for Securing and Optimizing 
> Redhat Linux... though most of it is good for
> any distribution of Linux)
> This document has good techniques including using the ext2  immutable
> flag.


Yeah. Biggest problem with security is the prevention aspect. You get a 
much bigger bang for the buck on the prevention aspect.


> Someone has to stay abreast of issues... I recommend subscribing to
> things like:
> 
> http://www.cert.org/contact_cert/certmaillist.html
> and most defintitely the bugtraq mailing list:
> http://www.securityfocus.com/cgi-bin/forums.pl


 > Most all problems will be seen on bugtraq before general news
 > flashes come out.

This is a lot for people who do not do this for a living. You may be 
better off just regularly visiting your distro's site for 
vulnerabilities warnings. Still better than general news flashes but not 
as hairy as the these technical areas. Or use something with a very good 
package updating mechanism like Debian.



> One last thing... throw the hacker a curve ball.  The reason that
> platforms get hacked more often today is because of the
> similarity of machine configurations.  


I think the reason platforms get hacked today is poor setup and poor 
maintenance. The common setups are a liability yes, but most of the 
cracks that I've seen exploit people whose systems aren't up to date or 
are poorly configured.

- Only run the services that you need.
- Try to understand the nature of your services.
- Keep those services up to date religiously.

The easiest step for the user is the 3rd. Yet, it seems to be the one 
that crackers take the most advantage of.


> <note>> ....just don't ever tick them off :-)   A "cracker" is something
> you have with soup.
> </note>


Uh. Well there is the pigment-laden association...

Steve