90


Chapter 10. Intrusion Detection


event logs such as network and kernel, can be quite verbose), analyze them, re tag the anomalous


packets with its own system of warning and severity rating, and collect them in its own specialized


log for administrator analysis.


Host based IDSes can also verify data integrity of important files and executables. The IDS will check


a database of sensitive files (and any files that you may want to add) and creates a checksum of


each file with a message file digest utility such as


md5sum


(128 bit algorithm) or or


sha1sum


(160 


bit algorithm). The IDS then stores the sums in a plain text file, and periodically compares the file


checksums against the values in the text file. If any of the files checksums do not match, then the IDS


will alert the administrator by email or pager. This is the process used by Tripwire, which is discussed


in Section 10.2.1.


10.2.1. Tripwire


Tripwire is the most popular host based IDS for Linux. Tripwire, Inc., the developers of Tripwire,


recently opened the software source code for the Linux version and licensed it under the terms of the


GNU General Public License. Red Hat Linux includes Tripwire, and is available in RPM package


format for easy installation and upgrade.


Detailed information on the installation and configuration of Tripwire can be found in the chapter


titled "Installing and Configuring Tripwire" in the Official Red Hat Linux Customization Guide. Refer


to that chapter for more information.


10.2.2. RPM as an IDS


The RPM Package Manager (RPM) is another program that can be used as a host based IDS. RPM


contains various options for querying packages and their contents. These verification options can


be invaluable to an administrator who suspects that critical system files and executables have been


modified.


The following list details some options for RPM that you can use to verify file integrity on your Red


Hat Linux system. Refer to the Official Red Hat Linux Customization Guide for complete information


about using RPM.


Important


Some of the commands in the list that follows requires that you import the official Red Hat GPG


public key into your RPM keyring. This key verifies that packages installed on your system contain an


official Red Hat package signature, which ensures that your packages originated from Red Hat. The


key can be imported with the following command (substituting


version


with the version of RPM


installed on your system):


rpm   import /usr/share/doc/rpm  version /RPM GPG KEY


rpm  V package_name


This option will verify the files in the installed package called


package_name


. If it shows no


output and exits, this means that all of the files have not been modified in anyway since the last


time the RPM database was updated. If there is an error, such as


S.5....T c /bin/ps


then the file has been modified in some way and you need to assess whether to keep the file (such


is the case with modified configuration files in


/etc


) or delete the file and reinstall the package


that contains it.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved