Linux Foundation - English  Linux Foundation - Japanese  LINUXFOUNDATION.ORG | LINUX.COM | TRAINING | more Login LOGIN  Sign Up SIGN UP
Events Home

Platinum Sponsors
HP LogoIBM LogoIntel LogoNovell LogoQualcomm Logo

Gold Sponsors
Dell Logo

Silver Sponsors
Black Duck LogoCanonical LogoLinbit LogoSoftlayer LogoWind River Logo

For information on sponsorship or exhibition opportunities at LinuxCon, please contact Angela Brown at angela (at) linuxfoundation dot org.

 

Register for LinuxCon

The Next Stage in Linux IDS - Prelude-IDS and Auditd

Gary Smith

A host-based intrusion detection system (HIDS) detects changes to file system objects. When first initialized, most HIDS scan the file system as directed by the administrator and stores information on each file scanned in a database. Later the same files are scanned and the results compared against stored values in the database. Changes are reported to the user. While this technique of HIDS is useful, it does not provide other useful information: when the file actually changed, who changed it, and the mechanism of change.

Using freely available Open Source Software, such as Prelude-IDS and auditd, it's possible to construct a HIDS that not only captures changes to file system objects, but also when the file changed, by whom it was changed and how it was changed. While useful for detecting intrusions after the event, HIDS can also serve many other purposes: integrity assurance, change management, and policy compliance.