pyHIDS
Presentation
pyHIDS is a HIDS (host-based intrusion detection system) for verifying the integrity of a system. It uses an RSA signature to check the integrity of its database. Alerts are written in the logs of the system and can be sent via email to a list of users. You can define rules to specify files to be checked periodically.
It is recommended to use Python >= 3.3.
Features
- checks the integrity of system's files with a list of rules;
- checks the output of commands (iptables, ...);
- uses an RSA signature to check the integrity of its database;
- alerts are written in the logs of the system;
- alerts can be sent via email to a list of users;
- alerts can be sent on IRC channels through the irker IRC client (which should be running as a daemon);
- alerts can be sent to a Bitmessage address.
Requirement
pyHIDS only requires the Pure-Python RSA implementation.
$ sudo pip install rsa
Configuration
The configuration is really easy. First get pyHIDS source code and copy the sample configuration file:
$ git clone https://github.com/cedricbonhomme/pyHIDS.git
$ cd pyHIDS/
$ cp ./conf.cfg-sample ./conf.cfg
Then edit the file conf.cfg:
[globals]
nb_bits = 752
[irc]
channel = irc://chat.freenode.net/#testpyHIDS
host = localhost
port = 6659
[email]
enabled = 0
mail_from = [email protected]
mail_to = you_address
smtp = SMTP_server
username = your_username
password = your_password
[bitmessage]
from = BM-2DCutnUZG16WiW3mdAm66jJUSCUv88xLgS
to = BM-Gtsm7PUabZecs3qTeXbNPmqx3xtHCSXF
enabled = 0
apiport = 8442
apiinterface = 127.0.0.1
apiusername = chelsea
apipassword = YourSuperPassw6rd-ChangeThIs-022w3eksssoQAWfasddswwWIU
[files]
file1 = /etc/crontab
file2 = /boot/grub/grub.cfg
file3 = /etc/shadow
file4 = /etc/networks
[rules]
rule1 = conf$ /etc
rule2 = list /etc/apt
rule3 = .* /bin
[commands]
iptables = /sbin/iptables -L
Description of the sections:
- globals: set the number of bits of the RSA keys;
- irc: configure notifications sent via IRC;
- email: configure the email notifications. Set the value of "enabled" to 1 to activate notifications;
- bitmessage: configure notifications sent via Bitmessage (more information);
- files: list of files to scan;
- rules: regular expression to specify files in a folder;
- commands: command's output to check.
Example of use
$ ./genKeys.py
Generating 752 bits RSA keys ...
Dumping Keys
Done.
$ ./genBase.py
Generating database...
543 files in the database.
$ ./pyHIDS.py
Modify a character in the file /etc/httpd/conf/httpd.conf and relaunch the program:
$ ./pyHIDS.py
[01/03/13 15:05:31] [warning] /etc/httpd/conf/httpd.conf changed.
The program warns that the file has changed. When this happens, a warning is generated in the logs /var/log/syslog and a mail is sent to the administrator. If no change is detected only the log file is updated.
Automatic execution
Use the time-based job scheduler, Cron, in order to schedule system scans. In your shell enter the command:
$ crontab -e
And add the following line to check the integrity of the system every fifty minutes:
*/50 * * * * cd $pyHIDS_path ; ./pyHIDS.py
After each system check, pyHIDS sends a report to the administrators. In the case of an attacker who has deleted the cron line, for example.
License
pyHIDS is under GPLv3 license.
Copyright (C) 2010-2018 Cédric Bonhomme