Intrusion detection systems for laptop?

jernst · 2015-11-30 02:06:35

I'm about to go traveling with an Arch laptop, and between hotels and borders, I'd like to know if somebody has messed with my machine while I wasn't looking. I'm looking for (software) recommendations.

Assume I only run Arch stock packages.

Years ago I used tripwire, but that project seems to have gone sideways?

Awebb · 2015-11-30 09:09:30

Do what Tripwire does, make hashes of all files and compare them to new hashes, if you suspect intrusion.

jernst · 2015-11-30 18:27:08

I'd much rather write new code than code others have written already :-) Apparently other than tripwire, AIDE, Ossec and Samhain are options, of which only AIDE exists in the Arch repos so I guess I'll try that one.

I'd most prefer an option to pacman, because pacman already knows what files there should be, what their hash should be, and (at least partially) which may or may not change. Apparently that was discussed before in the bug tracking system, although I can't find the link right now.

Leonid.I · 2015-11-30 19:08:22

jernst wrote:

I'm about to go traveling with an Arch laptop, and between hotels and borders, I'd like to know if somebody has messed with my machine while I wasn't looking. I'm looking for (software) recommendations.
Assume I only run Arch stock packages.
Years ago I used tripwire, but that project seems to have gone sideways?

You haven't really formulated the problem. What are your requirements:
* Do you need to do important stuff (like admin'ing of you servers, logging into your homt network, email, etc) with that laptop while on the road?
* Do you have a trusted machine available?
* On your return, do you have a chance to recover the installation if necessary?
* What kind of attack do you expect? And what does it mean "not looking"?

You see, the fundamental problem with _any_ IDS is that you need a trusted machine to verify hashes from. You can't do this from you laptop that you suspect has been attacked. Moreover, this is a slow process that you won't be able to do often, so it is not a practical day to day protection.

My advice would be:
* If you absolutely must take a trusted system, then use a _full-drive_ encryption. Your /boot partition _must_ reside on a usb/cdrom that you always keep with you. This way only HW-based attacks are possible. An importran thing to remember in this case, is to _never_ leave your machine in suspend/hibernate -- always turn if off when not in use.

* Use a spare HDD and install a disposable system there (you'll wipe it on return). You will _not_ use it for anything important, so your servers etc will have to be autonomous for some time. Take care of email and related things somehow (for instance, when I travel I typically tell people that next two weeks I'll be off email)...

* By all means, go with an IDS but do have a trusted system at home for verification. Also keep in mind that _with Arch_ it is often faster to back up your data, reinstall, and recover the data, instead of verifying the system integrity.

And as always, keep backups and try not to have binary data...

jernst · 2015-11-30 23:36:56

Never mind the data / e-mail / including crypto secrets, I have a plan for that one (which basically boils down to not put any data on the machine).

In this post, I'm just trying to figure out things like somebody putting a key logger on the machine. I would be perfectly fine if, while traveling, I'd only catch the not-so-smart crooks (i.e. the ones that didn't also compromise the IDS) and I put off the full verification once I'm back home, using a different machine. Once home, I'm happy to do a clean re-install.

Leonid.I · 2015-12-01 02:36:40

jernst wrote:

Never mind the data / e-mail / including crypto secrets, I have a plan for that one (which basically boils down to not put any data on the machine).
In this post, I'm just trying to figure out things like somebody putting a key logger on the machine. I would be perfectly fine if, while traveling, I'd only catch the not-so-smart crooks (i.e. the ones that didn't also compromise the IDS) and I put off the full verification once I'm back home, using a different machine. Once home, I'm happy to do a clean re-install.

It's not only what you put on the machine, but what you enter, e.g. passwords, ssh/gpg passphrases, etc. If those secrets are not important to you, then why do you even care about keyloggers? Just reinstall on return...

The question that you have to ask yourself is how are you going to detect said (software) keylogger when _not at home_? The only quick way, that I am aware of, is to fully encrypt the HDD (so any tampering will be apparent). And unless you are going to deal with kids, the IDS that lives on your laptop will be compromised (in the event of an attack)...

But if you really want to go with an IDS, then while at home, boot from a livecd, do something like "find / -type f -exec sha256sum '{}' \; > /tmp/hash-in" and then compare with this file upon returning.

Last edited by Leonid.I (2015-12-01 02:37:36)

Trilby · 2015-12-01 02:41:40

jernst wrote:

I'd most prefer an option to pacman, because pacman already knows what files there should be, what their hash should be

pacman -Qkk

Arch Linux

#1 2015-11-30 02:06:35

Intrusion detection systems for laptop?

#2 2015-11-30 09:09:30

Re: Intrusion detection systems for laptop?

#3 2015-11-30 18:27:08

Re: Intrusion detection systems for laptop?

#4 2015-11-30 19:08:22

Re: Intrusion detection systems for laptop?

#5 2015-11-30 23:36:56

Re: Intrusion detection systems for laptop?

#6 2015-12-01 02:36:40

Re: Intrusion detection systems for laptop?

#7 2015-12-01 02:41:40

Re: Intrusion detection systems for laptop?

Board footer