Common Security Checking Tool
Mentor: [JavierFernandezSanguino Javier Fernandez-Sanguino]
Summary: Develop a security check tool to replace one currently provided by default in Debian
Required skills:
- C or Perl programming (C prefered)
- (recommended) knowledge of OS security and (host-based) ids
Description
The goal of this project is to develop a new, robust (not shell script based), security checking tool to monitor Debian systems for intrusion attempts. In essence, an intrusion detection tool. This tool, once developed, would replace the tool currently installed by default by debian (Checksecurity) which is somewhat limited and fragile.
This tool should be based on the experience derived from current existing tools. Including Checksecurity and Tiger which are already available in Debian. But the developer should also review what other projects are providing as the stock security check tool.
This tool should:
- run independently from cron (rationale: cron is not a task scheduler, it is not able
- to cope with tasks that run amok)
- implement common host-level security checks (please review the checks available in
- Debian's checksecurity and other tools)
- be modular so that new security checks could be "plugged in" easily
- provided multiple alert mechanisms (at least SNMP, e-mail and syslog)
- it should be easy to integrate the information from different intrusion detection agents in a single console
Notice that "security checks" are anything that affect availability, confidentiality and integrity. That is, this tool should not focus on being only a host-based intrusion detection (HIDS) tool.
Optionally, an integration layer should be implemented to make it possible to send and acknowledge security alerts in open-source information management systems currently available such as Prelude (through libprelude) and Ossim
This tool would eventually replace checksecurity and would be installed as part of the standard operating system so it should be able to work in very simple systems (i.e. just standard packages), even if some functionality would be only "activated" if additional libraries would be installed.