[rsbac] RSBAC HIDS ?

Murf murf at rsbac.org
Sat Jul 16 16:41:54 CEST 2005

frealek wrote:
> Hello,
> Is anyone aware of Tiger's features as a HIDS ?
> I wonder if it would be possible to integrate a host intrusion detection 
> system into RSBAC's arch, because any user-land HIDS is not trustable, 
> using it in a secure kernel would be great
> What would be the best imho is to select a set of nice features from 
> Tiger, seccheck (SUSE), checksecurity (OpenBSD), chkrootkit, rkhunter, 
> ... and create an RSBAC HIDS module
> suggestions, critics, notes, all appreciated
> PD : does this kind of stuff already exist in RSBAC ?
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac


I have been thinking for some time about HIDS integrity checkers
like AIDE or Mtree (checking md5sum, mtime, atime, ctime etc.)
and others implemented as a module in the RSBAC framework.

It would get rid off numerous disadvantages in userland integrity
checkers. If we look back into the history, we can see some "nice"
examples of compromiting Debian servers by modifying /sbin/init
and running the well-known SuckIT rootkit.
That was the situation where Debian maintainers saw the problem
by using AIDE and also by frequently oopsing the kernels.
But we were able to see that they spotted the problem when
it was too late. That's the fact.

The problem of userland checkers is the inability of "runtime cheking",
therefore these tools in fact aren't too suitable in
security manner. The implementation of some of the features
right into the kernel and the "be runtime" would help this
type of "security tools" situation very much.

But there are also others things that HIDS would contain,
e.g. logcheckers would be also nice, but they wouldn't probably
be easy to implement or today's benefit could be lower than
the effort put into it. I'm talking about statical data
repository and reaction to some types of events which rise over
the standart level gained by learning mode. Some type of triggers.
Here we come to statistical analysis and also to AI methods
well-known in computer science. I also saw some ideas
of using genetic algorithms to implement the determination
of attacks with some kind of a manual learning component.
The implementation of the triggers of such kind still need some testing
and a proof of usability and contribution.

Please keep in mind that the additional features have to provide
a real-time reaction and not a reaction in time when it's too late,
as the majority of today's HIDS userland components do.
It wouldn't help the so called "practive" security ;)
(please don't associate it with OBSD here).



More information about the rsbac mailing list