Solved

Adding IDS to system after deployment

Posted on 2011-09-30
6
374 Views
Last Modified: 2013-11-29
From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.
0
Comment
Question by:coanda
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36898136
Just add an IDS or in tripwire's case a File Integrity Monitor such as OSSEC (both ids and fim) or the AIDE is a Redhat project now but only FIM.
-rich
0
 
LVL 3

Author Comment

by:coanda
ID: 36898152
Sorry, but that doesn't really answer the question. Are you suggesting that by adding FIM it will be aware of existing exploits to the system?

To be honest, I'm 99.9% certain that none of the systems have ever been compromised, but what can be done to make that 99.9999%? Are there any programs that I can run, eg. unhide/tiger/etc., to increase my confidence before adding an IDS?
0
 
LVL 61

Expert Comment

by:btan
ID: 36907575
Detecting tampering will be what FIM shd do really well. But one key security principle is to be secure by default where the baseline image shd already be hardened. Eg selinux provide the MAC which would prevent low hanging fruit to be exploited. There other as well - http://www.puschitz.com/SecuringLinux.shtml

also ideally we can adopt security as defense in depth meaning the unified layer in protecting your critical asset. In this case, your server to make sure availability. FIM can be complementing the hardened state, network security devices provide the perimeter monitoring, detection and prevention early. Minimally push the sensor out to imcrease situation awareness and defence at the strategic point of control. I will say it as push the kill chain up.

But we have to balance as well with operational req and not go excessive. Hence the risk mgmt to priortise the investment and effort. Importantly, it shd be a process and not a deploy and forget mentality.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:coanda
ID: 36932624
Thanks, that's all useful information, but it doesn't really answer the original question. As I stated originally, I'm aware that the base system image should have an IDS/FIM installed right off the bat, but it wasn't, now I want to add it. What should I do now to add it correctly so that I can have a relatively high degree of certainty that the system is secure? Or does it even matter?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36932844
You may try to verify the rpm's
rpm -K * --nopgp (it's something like that)
But then again, how can you trust the rpm package now... it all depends on how far you want to go, a bootable LIVE cd could be used to verify the md5's of the files, but that requires you to take the boxes offline for a certain amount of time.
If it matters to you, it matters.
-rich
0
 
LVL 3

Author Closing Comment

by:coanda
ID: 36934433
I hadn't thought to use a Live CD to verify the packages that are installed, that makes sense.

Thanks.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now