How about HIDS functions?

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

How about HIDS functions?

Postby pdh0710 » Sun Oct 26, 2014 7:17 am

(Please excuse my poor English)

Hi... I am a newbie for grsecurity.

I'm performing a project that builds stand-alone IPS(Intrusion Prevention System/Software) system using Suricata,
now.
For self protection of the IPS system, I'm planning to install MAC(Mandatory Access Control) and HIDS(Host-based
Intrusion Detection Software) at the IPS system. And I could know about grsecurity as a MAC, and I am astonished
that grsecurity has a lot of functions though not well known than SeLinux.

I am considering OSSEC as HIDS. HIDS is very needed for my IPS system. Because if a attacker attempts to modify
or replace system files/commands, the administrator of my IPS system should know it and should prevent it. OSSEC
has sophisticate HIDS functions for my purporse.
However recently I could realize that the functions for my purpose(reporting and preventing attempts to modify or
replace system files/commands) are accomplished very efficiently if MAC supports the functions. But SeLinux is
very very complex, so I could not find ways for my purpose.
I could see the simple introductions for grsecurity functions at the homepage, and could not find suitable functions
for my purpose.

How do you think about grsecurity embracing basic HIDS functions?

(if grsecurity has already implemented the functions, reporting and preventing attempts to modify or replace
system files/commands, please let me know where I can find related information)
Last edited by pdh0710 on Sun Oct 26, 2014 4:49 pm, edited 3 times in total.
pdh0710
 
Posts: 7
Joined: Sun Oct 26, 2014 5:19 am

Re: How about HIDS functions?

Postby spender » Sun Oct 26, 2014 8:36 am

Grsecurity's RBAC will prevent the modification of system binaries. I don't see much benefit in things like Tripwire where the system in general hasn't been hardened against tampering. Why just log when a binary has been maliciously modified when you can prevent the damage before it happens? If you need logging when an administrator legitimately updates system binaries, the auditing facilities of grsecurity's RBAC can do that too.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: How about HIDS functions?

Postby pdh0710 » Sun Oct 26, 2014 11:18 am

I agree. prevention is most important. But If you can not prevent malicious attacks sufficiently,
then should generate alerts at least. So network IDS like Snort or host IDS like Tripwire/OSSEC
are widely used, I think.
Any way, the auditing facilities of grsecurity have sufficient alert functions like HIDS?
Last edited by pdh0710 on Sun Oct 26, 2014 12:21 pm, edited 3 times in total.
pdh0710
 
Posts: 7
Joined: Sun Oct 26, 2014 5:19 am

Re: How about HIDS functions?

Postby spender » Sun Oct 26, 2014 11:24 am

The auditing just emits kernel logs -- if you need anything else on top of that you'd need to add it to syslog (preferably logging remotely) or parse out the logs where they're stored.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: How about HIDS functions?

Postby pdh0710 » Sun Oct 26, 2014 11:50 am

So... If I can combine some system log facilities and grsecurity, then I can get what I want... right?
Thanks a lot for your quick reply, Brad.
pdh0710
 
Posts: 7
Joined: Sun Oct 26, 2014 5:19 am


Return to grsecurity development

cron