HIPS/BB for Linux

I'm looking for a HIPS or behavioral blocker for my Linux machine, to complement iptables.

Any recommendation is highly appreciated

 

Hello,
what distro are you using?
for linux genrally you dont need extra security but you may want to play around with SElinux.
SElinux is based on policies.
btw tbh just enjoy linux full speed!! if you didnt have any issues with security on windows you definatly wont on linux.

 

SNORT

 

Best HIPS/HIDS for linux IMO, is Tripwire.
Its available as a commercial software and also as an open spin-off.

 

hi,
This question is more appropriated to the Linux forum area.
In fact there is no direct correlation Windows/Linux regarding HIPS.
HIPS for Linux are rare, and as most Nix host monitoring programs are also network oriented, they are mostly considered as HIDS.
I can mention some good examples that have not previously listed:

Systrace, a well known HIPS: http://www.citi.umich.edu/u/provos/systrace/
Tiger: http://www.nongnu.org/tiger/
OSSEC, an exhaustive HIDS with rootkit detection feature: http://www.ossec.net/
SNARE, an excellent and modern IDS: http://www.intersectalliance.com/projects/Snare/index.html

More that virus/worms/spywares, Unix systems are mostly the target of rootkits and backdoors, and a protocol analyzer or sniffer is more recommennded than an IDS for a personal computer.

Rgds

 

A HIPS is not necessary. If you want something that "locks down processes" then you should look into SELinux or AppArmor. I recommend AppArmor if you're a newb. Both SELinux and AppArmor are what are known as Mandatory Access Controls.

And, oh yeah, if you want a HIDS, then I suggest AIDE (free version of Tripwire), as the guy above mentioned.

 

See http://en.wikipedia.org/wiki/AppArmor

and

http://www.novell.com/linux/security/apparmor/overview.html

and

AppArmor vs Selinux (but it is made by Novell, so AppArmor obviously rates better on the items reviewed )
http://www.novell.com/linux/security/apparmor/selinux_comparison.html

Cheers

 

I wonder how this should help against a backdoor? Backdoor should be eliminated or blocked in some way only watching what it sends out as solution? I see no real difference in virus, worm, spyware or backdoor.
Only that Backdoor can present a much bigger problem then e.g. spyware.

 

Have you tried grsec and rsbac, or the recently added Tomoyo?

 

Yes I used to run Grsec/PaX on hardened-Gentoo. Never tried Tomoyo or the other one known as SMACK (which I hear has been merged to mainline).

I find PaX when used in conjunction with compiler protections like SSP and a MAC like SELinux to be very strong. The only problem is PaX is almost too restrictive, thus it can take a lot of tweaking to get all of the apps to work correctly.

 

If AppArmor is for newbs then I am still in the womb waiting to pop.
Is it really a must have for someone like me who doesn't run a server,
is behind a firewall (Netgear router), uses clamav to scan from time to time,
and also runs rkhunter every now and then. ( I also have frontend to iptables
in the form of Gufw to deny all incoming plus some outgoing.)
Was hoping to get away from the time consuming, time wasting Comodo
HIPS type of stuff that I tried briefly when I still had Windows XP.

(No malware has messed with my computer(s) for close on 8 years - that was
when I bought my first computer, and I got infected a few times until I took
precautions like sandboxing, running progs. like Returnil etc.)

 

Ocky, you don't need that. Linux is safe out-of-the-box (provided that you stick to the repositories, keep your distro uptodate etc.). A bigger threat are definitely browsing-related risks like XSS. No HIPS or whatever can protect against that (use Noscript for Firefox instead).

At the moment, AppArmor/SELinux and the other tools mentioned just satisfy paranoia, IMHO. They might be useful for a server but are overkill for a desktop system. This may change in the future but right now someone has to convince me that I'm wrong.

 

While I agree that sticking to common sense approaches (as you mentioned) will be good enough for most desktop users, the MAC systems do have some benefits that cannot be addressed quite as well by the traditional Unix DAC. For instance, the XSS vulns you mentioned could be stopped dead if Firefox was locked down with AppArmor or SELinux (assuming the user didn't fall for social engineering by purposely entering information into a hijacked site). These MAC systems will not allow the browser (or any other process) to read or write to any file not specifically allowed by the policy. So if there is a browser exploit that allows some malicious code onto the machine, it wont be able to write to any file that is not normally written to by firefox. This is different than the traditional DAC because the DAC would allow the exploit free reign to /home (or more specifically access to any directory/file with the same level of permissions as the owner of Firefox, which would mean all "user" owned files).

Furthermore, these MAC systems also protect against privilege escalation (something traditional DAC can't). For instance, let's say an intruder exploits Apache on a webserver and gains a root shell. If Apache has a SELinux or AppArmor policy, even with the root shell, the intruder cannot do anything outside of the scope of Apache. For lack of a better term, it's like a sandbox. Contrast this to what happens if there was no MAC system in place: The attacker exploits Apache, gets his root shell and then can move around the system at will (because the DAC gives privileges based on ownership, so if you own one root level process, you own them all). A MAC doesn't care if you get root, it still wont allow you to move around outside of your confined space.

Yeah, I don't think we are yet to the point where Joe Schmo should be worrying about a MAC system yet. Perhaps when Linux gains market share. However, some distros are already implementing these systems and turning them on by default. Fedora is probably the best example.

EDIT:

You can see a talk and presentation given by the lead developer of AppArmor here. It's pretty interesting.

 

I have never seen an example where you need more than the default nothing on Linux. AppArmor/SELinux and such might be useful for server, but for desktops, just enjoy yourself.
Mrk

 

Hm, I wonder how you would do that with AppArmor or SELinux. XSS uses special cross site scripting vectors. You can defend yourself by disabling scripting and/or through anti-XSS filters - that's what Noscript uses if the respective site is whitelisted. To my knowledge these are the only options you have on the client side. If there is really a MAC way to protect against this threat, I'm highly interested!

I'm glad that you agree.

Yes, and I see no reason why one shouldn't use these profiles. My objection was actually targeted against creating own profiles on desktop systems.

Thanks! I'll watch that.

 

You can't prevent it because XSS vulns mostly rely on social engineering. However, if the XSS code attempts to deliver a payload which exploits the browser, a MAC could stop that because it wouldn't allow the browser on the client side to do anything (read/write/execute) that isn't specifically defined in the policy. But for your average everyday XSS scripting attack, there is nothing that can be done from the client side.

 

If you go to http://www.howtoforge.com/ and check out some of the tutorials,
you will see this statement repeated again and again, and that's for server
installations:-

This is what I don't want - it reminds me of HIPS (Comodo and others) in Windows i.e. getting work done plus some fun time = 5% ; configuring HIPS/IDS
etc. = 95%. In other words owning a PC under those conditions would not be an
advantage, but an impediment to anybody's daily work (and play) routine.
Time wasted is money down the drain for many.
(I think SuSE has a GUI for AppArmor - http://www.novell.com/documentation/apparmor/apparmor_user/data/bktitleuser.html)

 

My advice:

1. Install Mandriva 2009 Spring.
2. Set security level to high, mount /var and /tmp noexec,nosuid.
3. Be done with it.

Mandriva has other nice features too. The security stuff is well integrated with the GUI; for instance, if some idiot decides to take a whack at your firewall, the network applet displays a little warning icon, as I discovered back at college.

 

I see no reason AppArmor, SELinux, SMACK, Grsecurity or any of the MAC systems would prohibit one from utilizing ISPconfig. In fact, on a server is where one should be using these technologies! If an attacker successfully exploits an open root privileged network daemon (which is easy to do if the server is not updated regularly and many people don't update regularly), it's game over. You're pwned. And even if you do update, there are still 0-day's out there and always will be. MAC systems can stop 0-days because they use a whitelisting approach; "Here is what I want my daemon to do and nothing else, even if it is successfully attacked, it can't do what I don't specify in the policy." (However, there are exceptions as I will show below).

Of course, MAC's aren't perfect due to the way the Linux kernel is designed (if you can get a code path to some low level kernel function and if you are good enough to write a proper exploit, you can essentially override a MAC). For instance a couple of months ago, a skilled hacker showed how to totally own a Linux box based on a mere "Denial of Service" vulnerability in the Stream Control Transmission Protocol (SCTP) which is in all kernels before 2.6.28. The scary thing is that the CVE issued for the known vulnerability only listed it as a potential "Denial Of Service" which most kernel devs think of as being nothing but a low-priority nuisance.

Ubuntu's advisory for the exploit said this:

Yeah, it's a denial of service as long as you aren't facing off against someone like "SGRAKKYU" who shows on his blog how he used this known "DOS" vuln to completely pwn boxes, even when protected by SELinux and memory hardening protections like the NX bit. Granted very few boxes will have any SCTP application enabled, but the same types of exploits could be written for other "DOS" vulns on services that a lot of people do use.

But, all things considered, these MAC implementations can help a lot against many different exploits (just not all of them).

 

chronomatic: does that exploit work under PAX/GrSecurity or TOMOYOLinux? If so

 

This is all true but it has no relevance to the readers of this forum. On a security forum for enterprise servers, I don't doubt it could be very important. But I just don't see what purpose it serves here but to scare users unnecessarily.

Let's face it. As some anti-spam sites found out the hard way, if someone who controls a large botnet decides to shut you down, they WILL shut you down. They can do it simply by bombarding you with traffic. But no one here is ever going to face that sort of attack.

What people here should be guarding against is becoming PART of a botnet. Botnets are truly dangerous. They could be used by terrorist to shut down our entire infer-structure. Just by becoming a Linux user, people make a giant stride in this direction.

 

It probably works against TOMOYO but it might not work against Grsecurity since GRsecurity does not rely on LSM (instead Grsec is a kernel patch). But I really can't say for sure. I do know that the exploit works even if the NX bit memory hardening feature is on (but PaX does more than that, so I can't speak for PaX).

My intention is not to scare anyone. In fact, I agree with Mrkvonic who said basically that desktop Linux is fairly safe. The exploit above needs (A for the machine to be running an SCTP server of some sort and B) for the machine not to have been patched with the fix. My only point was to reiterate what that exploit author said, and that is that the kernel developers need to take any type of bug where kernel memory corruption takes place very seriously instead of merely labeling them DOS vulnerabilities. As he said, these "DOS" vulns can often lead to complete pwnage, even from a remote attacker.

But if you're on a desktop and you are behind a firewall with no listening ports, you are pretty safe in general, certainly safer than on a default Windows install.

 

I understand where you are coming from but I still feel that newcomers, especially those coming from Windoze, will misinterpret what you are saying and take it to mean that the Windoze people were right all along that Linux isn't really any safer.

To me, even the use of "faily safe" instead of "pretty well safe," could be scary to some new users. The chances of a casual Linux user getting a trojan/bot are pretty much nill.

 

I agree. However, this thread was about "HIPS" on Linux so the conversation naturally got steered toward SELinux, AppArmor, TOMOYO, etc., (which are not really "HIPS" but are more along the lines of MAC's, though the terms often are used interchangeably. "HIPS" seems to be more of a Windoze term).

I like locking down any network facing application on my box with AppArmor, especially Firefox. Now, as you said, the chance of picking up Linux malware through web browsing is next to nil and even if you did it would only affect /home. However, /home can be important for many users, so having that extra layer of protection that a MAC provides can offer reassurance that even if there is a FF exploit that allows some unknown and yet undiscovered Linux malware in, it can't do much, even to /home. But the only reason I do this is because AppArmor is so easy to write profiles for and it comes enabled in Kubuntu by default.

 

Again, I'm in total agreement with what you are saying. But I've seen MS shills post seemingly innocent security questions, with the real intent of confusing casual users. I wouldn't be at all surprised to see one quote portions of your post, out of context, with the headline, "Linux Expert Agrees Linux Not Safe." It wouldn't be the first time.