A host-based intrusion detection system.
Project description
pyHIDS
Presentation
pyHIDS is a HIDS (host-based intrusion detection system) for verifying the integrity of a system.
It is possible to use an RSA signature to check the integrity of its database.
Alerts are written in the logs of the system and can be sent via email to a list of users. You can define rules to specify files to be checked.
It is recommended to use Python >= 3.11.
Features
- checks the integrity of system's files with a list of rules;
- checks the output of commands (iptables, ...);
- possibity to use RSA to sign to check the integrity of its database;
- alerts are written in the logs of the system;
- alerts can be sent via email to a list of users;
- alerts can be sent on IRC channels through the irker IRC client (which should be running as a daemon);
- verify files with Hashlookup, Pandora, and MISP.
Installation
You can simply use pipx or poetry.
$ pipx install pyHIDS
$ export PYHIDS_CONFIG=~/.pyHIDS/conf.cfg
An example of configuration file is available. With this file you can configure:
- the connection to Hashlookup;
- the connection to Pandora;
- the IRC connection for the notifications;
- the SMTP connection for the email notifications;
- the list of files to scan;
- the regular expressions to specify files to scan in a folder;
- the command's output to check.
Usage
$ pyhids gen-keys --size 2048
Generating 2048 bits RSA keys ...
Dumping Keys
Done.
$ pyhids gen-base --sign
Generating database...
2427 files in the database.
$ pyhids run --check-signature
Verifying the integrity of the base of hashes...
Database integrity verified.
Verifying the integrity of the files...
You can skip the first step (generation of the keys) if you do not want to sign the database with the solution provided with pyHIDS (RSA) or if you do not want to sign the database.
Change a monitored file and relaunch the program:
$ pyhids run
Verifying the integrity of the files...
[07/19/23 15:05:31] [warning] /etc/httpd/conf/httpd.conf changed.
The program warns that the file has changed. When this happens, a warning is generated in the logs /var/log/syslog and a mail is sent to the administrator. If no change is detected only the log file is updated.
Log file generated:
$ tail log
[18/07/23 22:34:25] [notice] /bin/tload ok
[18/07/23 22:34:25] [notice] /bin/mbim-network ok
[18/07/23 22:34:25] [notice] /bin/preparetips5 ok
[18/07/23 22:34:25] [notice] /bin/grub-file ok
[18/07/23 22:34:25] [notice] /bin/xclip ok
[18/07/23 22:34:25] [notice] /bin/pamperspective ok
[18/07/23 22:34:25] [notice] /bin/pod2usage ok
[18/07/23 22:34:25] Error(s) : 0
[18/07/23 22:34:25] Warning(s) : 0
[18/07/23 22:34:25] HIDS finished.
Other features
Check for known malicious files with Hashlookup, Pandora or MISP.
$ pyhids hashlookup
$ pyhids pandora
$ pyhids misp
Automatic execution
Use the time-based job scheduler, Cron, in order to schedule system scans. In your shell enter the command:
$ crontab -e
And add the following line to check the integrity of the system every fifty minutes:
*/50 * * * * pyhids run
After each system check, pyHIDS sends a report to the administrators. In the case of an attacker who has deleted the cron line, for example.
License
pyHIDS is under GPLv3 license.
Copyright (C) 2010-2023 Cédric Bonhomme
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
