Solved

Adding IDS to system after deployment

Posted on 2011-09-30
6
379 Views
Last Modified: 2013-11-29
From what I've read I think I know already that the answer to this is "nope, not really", but I'll ask anyways. I've got a bunch of Linux servers that have been running for years, and I have no plans of rebuilding them from scratch, and I'd like to add an IDS to them. The tripwire documentation says that there's no way to ensure that the system hasn't already been compromised and therefore adding it will only help with future breaches. Fair enough.

But, if you wanted to anyways, would it be sufficient to scan the system using for example unhide, rkhunter, chkrootkit, and tiger first and then add an IDS? Or, would it be possible to create a virtual machine with the same package selection, add an IDS, build a configuration and database, and then copy those over to the production server?

Thanks.
0
Comment
Question by:coanda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 36898136
Just add an IDS or in tripwire's case a File Integrity Monitor such as OSSEC (both ids and fim) or the AIDE is a Redhat project now but only FIM.
-rich
0
 
LVL 3

Author Comment

by:coanda
ID: 36898152
Sorry, but that doesn't really answer the question. Are you suggesting that by adding FIM it will be aware of existing exploits to the system?

To be honest, I'm 99.9% certain that none of the systems have ever been compromised, but what can be done to make that 99.9999%? Are there any programs that I can run, eg. unhide/tiger/etc., to increase my confidence before adding an IDS?
0
 
LVL 63

Expert Comment

by:btan
ID: 36907575
Detecting tampering will be what FIM shd do really well. But one key security principle is to be secure by default where the baseline image shd already be hardened. Eg selinux provide the MAC which would prevent low hanging fruit to be exploited. There other as well - http://www.puschitz.com/SecuringLinux.shtml

also ideally we can adopt security as defense in depth meaning the unified layer in protecting your critical asset. In this case, your server to make sure availability. FIM can be complementing the hardened state, network security devices provide the perimeter monitoring, detection and prevention early. Minimally push the sensor out to imcrease situation awareness and defence at the strategic point of control. I will say it as push the kill chain up.

But we have to balance as well with operational req and not go excessive. Hence the risk mgmt to priortise the investment and effort. Importantly, it shd be a process and not a deploy and forget mentality.
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 
LVL 3

Author Comment

by:coanda
ID: 36932624
Thanks, that's all useful information, but it doesn't really answer the original question. As I stated originally, I'm aware that the base system image should have an IDS/FIM installed right off the bat, but it wasn't, now I want to add it. What should I do now to add it correctly so that I can have a relatively high degree of certainty that the system is secure? Or does it even matter?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36932844
You may try to verify the rpm's
rpm -K * --nopgp (it's something like that)
But then again, how can you trust the rpm package now... it all depends on how far you want to go, a bootable LIVE cd could be used to verify the md5's of the files, but that requires you to take the boxes offline for a certain amount of time.
If it matters to you, it matters.
-rich
0
 
LVL 3

Author Closing Comment

by:coanda
ID: 36934433
I hadn't thought to use a Live CD to verify the packages that are installed, that makes sense.

Thanks.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question