[TriLUG] host intrusion detection for mere mortals?

Thu Sep 11 17:05:24 EDT 2014

> summary: How reasonable is AIDE+ClamAV for an "anti-spyware" requirement?
> Alternatively, are there more functional HIDS with documentation
> sufficient for non-security-professionals, and which would not require
> major knowledge/maintenance/money/time investment?
>
First off, remember that Antivirus primarily detects Windows malware. 
Antivirus is predominantly a Windows concept, not a Linux concept.

Aide is pretty effective, but it is manual.  I would recommend setting up
a CRON task to run it.  On one machine I have it installed and have simply
added this"5  4  *  *  * /usr/sbin/aide --check" to root's crontab. 
Everyday I get an email from root like the following:

AIDE found differences between database and filesystem!!
Start timestamp: 2014-09-11 04:05:01

Summary:
  Total number of files:        112568
  Added files:                  21
  Removed files:                21
  Changed files:                23

---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/clamav/clamd.log-20140907
added: /var/log/clamav/clamd.log-20140831
added: /var/log/clamav/freshclam.log-20140907
added: /var/log/clamav/freshclam.log-20140831

Ossec is pretty easy to install and use.  The hardest part of ossec is
that it gets compiled on your system.  It has been a while since I have
installed it, but from what I remember it is well documented and the
instructions are straight forward.

Other HIDS like Samhain are decent, but more difficult to install.

One other factor to consider is root kit detection.  While root kits are
not all that common anymore, you might want to use a tool that is up to
date.

One final thing I would suggest is to use a tool like logwatch to give you
a daily report of the significant events from your log files.  It only
takes a few seconds to review it and will give you a good indication as to
whether something is out of the ordinary.