Page 1 of 1

How about HIDS functions?

PostPosted: Sun Oct 26, 2014 7:17 am
by pdh0710
(Please excuse my poor English)

Hi... I am a newbie for grsecurity.

I'm performing a project that builds stand-alone IPS(Intrusion Prevention System/Software) system using Suricata,
now.
For self protection of the IPS system, I'm planning to install MAC(Mandatory Access Control) and HIDS(Host-based
Intrusion Detection Software) at the IPS system. And I could know about grsecurity as a MAC, and I am astonished
that grsecurity has a lot of functions though not well known than SeLinux.

I am considering OSSEC as HIDS. HIDS is very needed for my IPS system. Because if a attacker attempts to modify
or replace system files/commands, the administrator of my IPS system should know it and should prevent it. OSSEC
has sophisticate HIDS functions for my purporse.
However recently I could realize that the functions for my purpose(reporting and preventing attempts to modify or
replace system files/commands) are accomplished very efficiently if MAC supports the functions. But SeLinux is
very very complex, so I could not find ways for my purpose.
I could see the simple introductions for grsecurity functions at the homepage, and could not find suitable functions
for my purpose.

How do you think about grsecurity embracing basic HIDS functions?

(if grsecurity has already implemented the functions, reporting and preventing attempts to modify or replace
system files/commands, please let me know where I can find related information)

Re: How about HIDS functions?

PostPosted: Sun Oct 26, 2014 8:36 am
by spender
Grsecurity's RBAC will prevent the modification of system binaries. I don't see much benefit in things like Tripwire where the system in general hasn't been hardened against tampering. Why just log when a binary has been maliciously modified when you can prevent the damage before it happens? If you need logging when an administrator legitimately updates system binaries, the auditing facilities of grsecurity's RBAC can do that too.

-Brad

Re: How about HIDS functions?

PostPosted: Sun Oct 26, 2014 11:18 am
by pdh0710
I agree. prevention is most important. But If you can not prevent malicious attacks sufficiently,
then should generate alerts at least. So network IDS like Snort or host IDS like Tripwire/OSSEC
are widely used, I think.
Any way, the auditing facilities of grsecurity have sufficient alert functions like HIDS?

Re: How about HIDS functions?

PostPosted: Sun Oct 26, 2014 11:24 am
by spender
The auditing just emits kernel logs -- if you need anything else on top of that you'd need to add it to syslog (preferably logging remotely) or parse out the logs where they're stored.

-Brad

Re: How about HIDS functions?

PostPosted: Sun Oct 26, 2014 11:50 am
by pdh0710
So... If I can combine some system log facilities and grsecurity, then I can get what I want... right?
Thanks a lot for your quick reply, Brad.