| Details |
A host-based intrusion detection system (HIDS) detects changes to file system objects. When first initialized, most HIDS scans the file system as directed by the administrator and stores information on each file scanned in a database. At a later date the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database. While this technique of HIDS is useful, it does not provide other useful information such as when the file actually changed, who changed it, and the mechanism of change. Using freely available Open Source Software, such as syslog-ng, and native operating system features such as auditd, it possible to construct a HIDS that not only captures change to file system objects, but also when the file changed, by whom it was changed and how it was changed. While useful for detecting intrusions after the event, HIDS can also serve many other purposes, such as integrity assurance, change management, and policy compliance. |
