7. Cheesewire
Cheesewire has Tripwire-like
functionality (monitoring MD5s checksums, inode values, etc of files);
in addition Cheesewire monitors all network connections all root-owned
processes and compares to known signatures; and uses LSOF to check signatures
of all processes and network connections.
7.1. Remarks on IDS Configuration
A poorly installed and configured IDS will run on rewritable media
(e.g., harddisk) on a host, using standard OS utilities and libraries:
- Home-Brewed MD5-based Systems
-
A simple IDS might consist of a set of Perl scripts which compare files,
and network and process activity, to known/expected values. A poor
installation of the IDS would rely on /usr/bin/perl, the
contents of /usr/lib/perl and several shared-object files from
/lib and /usr/lib. The trojanning of any of these will
obviously invalidate the output/results from the IDS.
The solution is to have the IDS use its own Perl installation and its own
copies of any shared-objects it uses --- and use them and them alone.
(This is what Cheesewire does.)
- Tripwire
-
Tripwire avoids the problem of using trojanned shared-object
libraries --- its a statically-linked binary. However, there is always
the possibility that Tripwire itself could be trojanned.
- Remote and Read-Only Media
-
The only way to be sure that an IDS and any system utilities or libraries
it uses are not trojanned is to install the whole lot, including all
OS libraries and utilities used, on read-only media, such as on a CD ROM,
and mount it from there (under the running OS).
This still leaves the question of what to do with the IDS-related
database (of file size, inode, checksum, etc.) --- rewriting the CD ROM
each time database updates are required is not a great option. (One can
use a database mounted from remote media, but this opens its own can of
worms.)