Adding IDS to system after deployment

From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.
LVL 3
coandaAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You may try to verify the rpm's
rpm -K * --nopgp (it's something like that)
But then again, how can you trust the rpm package now... it all depends on how far you want to go, a bootable LIVE cd could be used to verify the md5's of the files, but that requires you to take the boxes offline for a certain amount of time.
If it matters to you, it matters.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Just add an IDS or in tripwire's case a File Integrity Monitor such as OSSEC (both ids and fim) or the AIDE is a Redhat project now but only FIM.
-rich
0
 
coandaAuthor Commented:
Sorry, but that doesn't really answer the question. Are you suggesting that by adding FIM it will be aware of existing exploits to the system?

To be honest, I'm 99.9% certain that none of the systems have ever been compromised, but what can be done to make that 99.9999%? Are there any programs that I can run, eg. unhide/tiger/etc., to increase my confidence before adding an IDS?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
btanExec ConsultantCommented:
Detecting tampering will be what FIM shd do really well. But one key security principle is to be secure by default where the baseline image shd already be hardened. Eg selinux provide the MAC which would prevent low hanging fruit to be exploited. There other as well - http://www.puschitz.com/SecuringLinux.shtml

also ideally we can adopt security as defense in depth meaning the unified layer in protecting your critical asset. In this case, your server to make sure availability. FIM can be complementing the hardened state, network security devices provide the perimeter monitoring, detection and prevention early. Minimally push the sensor out to imcrease situation awareness and defence at the strategic point of control. I will say it as push the kill chain up.

But we have to balance as well with operational req and not go excessive. Hence the risk mgmt to priortise the investment and effort. Importantly, it shd be a process and not a deploy and forget mentality.
0
 
coandaAuthor Commented:
Thanks, that's all useful information, but it doesn't really answer the original question. As I stated originally, I'm aware that the base system image should have an IDS/FIM installed right off the bat, but it wasn't, now I want to add it. What should I do now to add it correctly so that I can have a relatively high degree of certainty that the system is secure? Or does it even matter?
0
 
coandaAuthor Commented:
I hadn't thought to use a Live CD to verify the packages that are installed, that makes sense.

Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.