This page is about a project to develop the IDS model further and create a free host based intrusion detection system (HIDS) for everyone that is well integrated into the operating system and coupled with user activities.
It uses tripwire as IDS and Debian as OS but could also be extended to other operating systems and IDS'. Hence this page could be moved to another wiki, if appropriate, later.
Cybersecurity experts are needed to make this a reality.
Once tripwire has been set up as described here the steps for a single tripwire scan are as follows:
- Disconnect from the Internet
- Insert the USB stick. Open it with dolphin and close dolphin again to make the USB stick available.
Open ?VeraCrypt click on the slot you selected earlier, select the volume-file on the USB stick and mount it using 2 passwords.
Run cd /media/veracrypt10/
Run sudo ./sbin/tripwire --check and let it run through
Run sudo ./sbin/twprint -m r --twrfile pathtothegeneratedtwrfile > nameofthegeneratedtwrfile-descriptionofwhatyoudidinthemeantime (for example sudo ./sbin/twprint -m r --twrfile ./report/name-20170808.twr > name-20170808-installed-firefox-and-removed-kdeconnect)
- Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself - especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.
Update your database by running export DISPLAY=:0; sudo ./sbin/tripwire --update -Z low -V nano --twrfile ./report/filename.twr, pressing ctrl+x and entering your local key
Run cd ../.. and dismount the encrypted volume in ?VeraCrypt
- Backup the file again. You could store it on a read-only medium (CD/DVD) once in a while in case your database file becomes corrupted.
- Reconnect to the Internet
Suggested improvements to the IDS (IDS in general and tripwire in particular) are:
- Automating the above steps so you basically just have to insert the USB stick and enter your password.
- Mechanisms to adequately compare the machine against another machine or virtual machine set up in the same way (same packages installed etc; basically synchronized computers)
Showing diffs of relevant textfiles and configuration files such as the bash history and the sudoers file. Don't just show that these have changed but what has changed (e.g. which commands have been executed).
- Coupling it with installations, deinstallations and updates. For instance by developers (or communities) specifying exactly which files change in which way (hashes) and excluding these changes from the report. If the package-changes are okay it could display entries like "deinstalled firefox, installed chrome" that summarize the actions without showing all the files that changed in case that these high-level changes weren't actually initiated by the user himself.
- Coupling it with rkhunter and chkrootkit so you only initiate one scan and get one report that shows relevant findings of their scans too.
- Coupling it with the firewall, syslog and things like scanlogd to report strange packets, port-scans, attacks, etc.
- Not just sending emails but showing a notification that opens the report or shows relevant findings.
- Real-time detections.
- Automatic backups to preconfigured media as soon as it's plugged in and there are changes (not replacing the old backup but removing the oldest backup after the backup has finished).
- Build in analysis and explanation of changes. This can also help with IDS reports helping people learn the internals of GNU/Linux (by seeing changes to its files).