[TriLUG] host intrusion detection for mere mortals?

Wed Sep 10 19:38:53 EDT 2014

summary: How reasonable is AIDE+ClamAV for an "anti-spyware" requirement? Alternatively, are there more functional HIDS with documentation sufficient for non-security-professionals, and which would not require major knowledge/maintenance/money/time investment?

details:

As previously mentioned[1], I'm setting up a box to run a VPN with particular requirements newly set by a security contractor (and for which only Windows examples are provided):

1. must have static IP# (or pre-register whenever it changes)
2. must firewall
3. must run antivirus
4. must run "anti-spyware" (more below)
5. must regularly update (or "patch," in their Windowsese)

I am *not* (unfortunately) a "security professional," and have other work to do--I'm just setting this up to clear this new hurdle. I have nothing against good security, but I also have distinctly limited resources to invest in its implementation.

Fortunately, the last requirement is easily met by debian (or any OS/distro with a decent package-management system), and the first two requirements are easily met with a linode[2] (and pretty cheaply, too). ClamAV's documentation isn't as good as linode's, but I got ClamAV setup fairly quickly, and should have that setup scripted soon as well. 

So now I'm looking @ anti-spyware/HIDS ... but their setup seems to be *much* less well documented for folks for whom security is their sideline and not their profession. I note[4]

> I would recommend a HIDS, such as Ossec or Samhain coupled with a simple utility like Aide that will tell you if system files have been modified (i.e. you have spyware).

Both AIDE[5] and Samhain[6] have debian packages, which works for me. Samhain and OSSEC[7] seem much more functional than AIDE, but I'm not seeing any beginner-grade howto/tutorials for either--am I missing something? Samhain also seems to require running an RDBMS on a managment node (no?), which I'd prefer to avoid.

AIDE also has the advantage of the FileIntegrityAIDE[8] doc, which is "about my level." AIDE's main disadvantage (IIUC) is that it's just a file integrity checker, and therefore less functional than a fuller HIDS like OSSEC or Samhain. OTOH, I believe I understand (please lemme know if I'm missing anything) how to use AIDE to provide "anti-spyware" functionality on debian, in concert with the update requirement:

1. On app update, reinitialize the AIDE database.
2. Daily (default): run AIDE cronjob, emailing results.

Seems pretty straightforward--no? However, the requirement I'm trying to meet is[9]

>> P-2c. Some version of anti-spyware software installed, running, configured, and patched with the latest pattern files.  The software must perform a complete system scan at least once a week.

and "pattern files" aren't part of the file-verification workflow. But they *are* part of antivirus workflow, and particularly of ClamAV's. So I'm wondering, what protection(s) of significance would AIDE+Clam *not* provide, and what would be the easiest ways to fill significant gaps (if any)?

TIA, Tom Roche <Tom_Roche at pobox.com>

[1]: http://www.trilug.org/pipermail/trilug/Week-of-Mon-20140825/072098.html
[2]: See their docs https://www.linode.com/docs/getting-started/ and https://www.linode.com/docs/security/securing-your-server/ . I'm also impressed by linode's StackScript[3] facility for setup automation; I wrote one to automate the basic install, which I should be publishing as a "Community StackScript" after a bit more tire-kicking.
[3]: https://www.linode.com/stackscripts/
[4]: http://www.trilug.org/pipermail/trilug/Week-of-Mon-20140825/072099.html
[5]: http://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
[6]: http://en.wikipedia.org/wiki/Samhain_%28software%29
[7]: http://en.wikipedia.org/wiki/OSSEC
[8]: https://help.ubuntu.com/community/FileIntegrityAIDE 
[9]: http://www.trilug.org/pipermail/trilug/Week-of-Mon-20140825/072098.html