Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Adding IDS to system after deployment

Posted on 2011-09-30
6
Medium Priority
?
382 Views
Last Modified: 2013-11-29
From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.
0
Comment
Question by:coanda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36898136
Just add an IDS or in tripwire's case a File Integrity Monitor such as OSSEC (both ids and fim) or the AIDE is a Redhat project now but only FIM.
-rich
0
 
LVL 3

Author Comment

by:coanda
ID: 36898152
Sorry, but that doesn't really answer the question. Are you suggesting that by adding FIM it will be aware of existing exploits to the system?

To be honest, I'm 99.9% certain that none of the systems have ever been compromised, but what can be done to make that 99.9999%? Are there any programs that I can run, eg. unhide/tiger/etc., to increase my confidence before adding an IDS?
0
 
LVL 65

Expert Comment

by:btan
ID: 36907575
Detecting tampering will be what FIM shd do really well. But one key security principle is to be secure by default where the baseline image shd already be hardened. Eg selinux provide the MAC which would prevent low hanging fruit to be exploited. There other as well - http://www.puschitz.com/SecuringLinux.shtml

also ideally we can adopt security as defense in depth meaning the unified layer in protecting your critical asset. In this case, your server to make sure availability. FIM can be complementing the hardened state, network security devices provide the perimeter monitoring, detection and prevention early. Minimally push the sensor out to imcrease situation awareness and defence at the strategic point of control. I will say it as push the kill chain up.

But we have to balance as well with operational req and not go excessive. Hence the risk mgmt to priortise the investment and effort. Importantly, it shd be a process and not a deploy and forget mentality.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 3

Author Comment

by:coanda
ID: 36932624
Thanks, that's all useful information, but it doesn't really answer the original question. As I stated originally, I'm aware that the base system image should have an IDS/FIM installed right off the bat, but it wasn't, now I want to add it. What should I do now to add it correctly so that I can have a relatively high degree of certainty that the system is secure? Or does it even matter?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 36932844
You may try to verify the rpm's
rpm -K * --nopgp (it's something like that)
But then again, how can you trust the rpm package now... it all depends on how far you want to go, a bootable LIVE cd could be used to verify the md5's of the files, but that requires you to take the boxes offline for a certain amount of time.
If it matters to you, it matters.
-rich
0
 
LVL 3

Author Closing Comment

by:coanda
ID: 36934433
I hadn't thought to use a Live CD to verify the packages that are installed, that makes sense.

Thanks.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question