Lab: Host-based Intrusion Detection System
In this lab, you will use a Host-based Intrusion Detection System (HIDS) to detect compromises on your Linux machine. We will be using AIDE, a HIDS which uses techniques similar to that of the more well-known Tripwire. It attempts to detect intrusions by monitoring the filesystem and alerting administrators when suspicious changes occur.
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
File Integrity with AIDE
AIDE is already installed on your Linux router, but it is not
configured. You should review an
AIDE manual before
beginning this lab. Create an AIDE configuration file and store it as
/etc/aide/aide.conf. Then setup aide to run
every 4 hours via cron. You should use
/etc/crontab for this and you may write your own
external shell script which starts aide if you wish.
Your configuration should satisfy the following:
-
All files on the filesystem should be hashed and have all metadata (timestamps, permissions, etc) checked unless you have a good reason not to. You should try to eliminate all false positives (eg. alerts that are a result of normal operation), which means: if you expect something should change on a regular basis, then exclude it from the checks. However, only exclude the minimal number of changes necessary to eliminate false positives.
-
Your AIDE configuration file must include comments explaining why you have excluded certain files' attributes from being checked. Every exclusion must be documented and should include a description of the specific normal, everyday process which effects the change you are expecting. For example, if you exclude the contents of a log file from being checked, then explain what process writes to that log file regularly.
-
Your AIDE configurations and database should be readable/writable only by the root user.
-
Each time AIDE checks the system, any alerts must be emailed to one or more members of the team.
-
Your AIDE database must not be scripted to update automatically. If you need to update it, do it manually.
You should check your AIDE configuration a few times over a few
days to eliminate as many false positives as you can. A sample
configuration for AIDE can be found on your system at
/etc/aide/aide.conf.
Once you have a stable AIDE configuration, log into your system and
touch (see man touch for more information)
an executable in /usr/local/bin to change its
modification date.
When your cron job runs again, it should send you an
alert email about this change. Save a copy of this email for later
submission. After you are done, update your AIDE database
to stop future email alerts.
Report
For this lab, your team must submit a report with the following information:
-
Submit a copy of your AIDE configuration file, fully commented.
-
Submit a copy of your crontab file showing the entry for AIDE.
-
Submit a copy of the email alert you received when you modified a system binary.
-
In your Linux router's current AIDE configuration, name one way an attacker could prevent you from being alerted to system changes. In the worst-case scenario, if an attacker can gain root on your system, will file integrity checking suffice as a intrusion detection mechanism? If not, in what scenarios might it help secure the system?
Grading
Your grade for this lab will be composed of:
90% - The submitted copies.
10% - Answered the last question.