Yes Virginia, There is a Cracker in Your Box
Best of ENP: With Samhain, your enterprise-grade IDS tasks will involve a few less tricks and a lot more treats.
The term IPS (Intrusion Prevention System) is tied closely to the term IDS (Intrusion Detection System). Bad things happen, and you need to be able to detect when a server has been broken in to, not solely focus on preventing intrusions. The problem is that many host intrusion detection systems focus on monitoring only one host. The enterprise IT world isn't generally interested in applications that don't scale, and this is precisely where Samhain shines.
It's called Samhain, but we're not talking about the precursor to Halloween. Samhain, the IDS, is the first open source solution of its sort to consider real-world needs. The term "solution" invokes feelings of utopian computing, and shouldn't be used lightly. Be assured that we're calling Samhain the host monitoring solution for a reason. Samhain monitors Unix, Linux, OS X and even Windows servers. It takes security very seriously, as we'll see shortly. This article will explain the need for host intrusion detection, discuss why other solutions fall short, and introduce Samhain's capabilities. Next week we'll provide a detailed Samhain installation and usage tutorial.
What is host integrity monitoring? Simply put, it means that you're checking to see if files have changed. A checksum (define) is taken of each file that you want monitored, then compared to a known-good checksum of the same file, normally stored in a secure database. Cryptographically, this makes good sense. If one byte of the file has changed then the checksum will also change. It's very hard for crackers to maintain a lasting presence on your machine without modifying something, so chances are good that you'll know quickly when an intrusion has taken place.
Unfortunately, the daily operation of a server also invokes many file changes, not just by system administrators, but also by the OS itself. Much in the way that snort overloads network administrators with too much information, IDSes also flood the admin with notices of changed files. The solution, of course, is to spend an inordinate amount of time tuning the IDS system to fit your needs. No matter what IDS you choose, this is a necessary step to glean useful information from the system. Samhain (and others) provide some very good "starting point" templates for each of the major operating systems that will save you a tremendous amount of time.
Observe this quick example to drive home the reality of file integrity monitoring. Using one of our favorite operating systems, Solaris, as an example, think about what happens when a user logs into the console. Certain device nodes in /dev get modified: The ownership of these files must change to the user that is currently logged in. This is necessary to allow the user access to sound cards, frame buffers, USB ports, and more (Linux does this too). The reason this is a very important consideration is that crackers tend to enjoy hiding things within /dev. By that, I mean their rootkits are programmed by skilled people to do this. It's a wonderfully cryptic place where not many admins are comfortable, so hiding files is really quite easy in /dev. So, if you want to monitor /dev in Solaris land, you'll soon notice that you're getting flooded with notices about files changing: /dev/usb, /dev/fb, etc. When the list of files that changed becomes too long to glance at, it gets ignored. Maybe not the first month after you've installed this fancy new IDS software, but soon the reports will inevitably get ignored. A good starting point that minimizes the amount of customizations necessary goes a long way towards ensuring a long and prosperous IDS installation.
To monitor hosts, we've said that a baseline known-good database must be stored in a secure location, and only be updated by system administrators. Anyone who has run tripwire, the free version, knows that a lot of scripting is involved to develop a centralized database and keep it updated when authorized file changed happen on your monitored hosts. It is far from easy. Osiris is the other major player in IDSes. It does offer centralized management and ease of updating signature databases, but it isn't quite as finely tuned as Samhain.
Samhain, coupled with its web interface, "Beltane," provides an excellent and easy to use system for monitoring, i.e. viewing logs, and centrally updating signature databases. You can view a Web page that lists all your hosts, a summary of changes for those hosts, and issue an update command all in less time than it takes to go get a cup of coffee. Samhain makes IDS a pleasure, even when dealing with thousands of hosts.
Being an IDS software package, you'd expect that the authors are very security conscious individuals. That is exactly correct--samhain, in its normal course of file monitoring, can perform some pretty neat tricks. Samhain is able to hide itself from the process list so that attackers won't know it's running, and it can also monitor for new and strange kernel modules that get installed on your system. Also, Samhain's configuration files are checksummed, so attackers can't modify the configs if they happen to discover Samhain is running. There is a password hard-coded in the binary application, along with the baseline database's IP address. Then, of course, the binary is checksummed to prevent crafty people from modifying the program itself.
They really have thought of everything, and this is only the tip of the iceberg. During the installation tutorial most of the other built-in security measures will surface, because after all, increased security translates directly to decreased ease of use. The installation process may be a bit harrowing, but we'll guide you through that next week.