Host-based intrusion detection system comparison

Last updated

Comparison of host-based intrusion detection system components and systems.

Contents

Free and open-source software

As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.

PackageUpdatedUbuntu Official RepositoriesCentOS Official Repositories openSUSE Official RepositoriesFileNetworkLogs Config Notes
OSSEC 2022No [1] No [2] Yes [3] YesYesYesYes
Wazuh2022NoNo ?YesYesYesYes
Samhain 2021Yes [4] NoYes [5] YesNoPartial [6]
Snort 2018Yes [7] No [8] NoNoYesNo
chkrootkit 2023Yes [9] NoYesYesNoPartial [10]
rkhunter 2018Yes [11] Yes [12] YesYesNoNoYes
unhide [13] 2012Yes [14] Yes [15] YesNoNoNoproc ps compare
Sguil 2017NoNoNoNoYesNo
Logwatch [16] 2017Yes [17] Yes [18] YesNoNoYes
Logcheck [19] 2017Yes [20] Yes [21] YesNoNoYes
Epylog [22] 2014Yes [23] Yes [24] YesNoNoYes
SWATCH [25] 2015Yes [26] Yes [27] YesNoNoYes
sagan 2021Yes [28] NoNoNoNoYes
aide 2023Yes [29] Yes [30] YesYesNoNo
tripwire 2018Yes [31] Yes [32] YesYesNoNo
Tiger 2018Yes [33] NoNoYesNoNoYes3/42 modules are Debian specific.

Proprietary software

PackageYear [34] LinuxWindowsFileNetworkLogsConfigNotes
Lacework 2018YesNoYesYesYesYes
Verisys2018YesYesYesYesYes
Nessus 2017YesYesYes
Atomicorp 2019YesYesYesYesYesYesCommercially enhanced version of OSSEC
Spartan 2021NoYesYesYesYesYesWebsocket API, IP to Country mapping, DynDNS Integration

Related Research Articles

<span class="mw-page-title-main">Linux distribution</span> Operating system based on the Linux kernel

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. They are often obtained from the website of each distribution, which are available for a wide variety of systems ranging from embedded devices and personal computers to servers and powerful supercomputers.

<span class="mw-page-title-main">Ubuntu</span> Linux distribution developed by Canonical

Ubuntu is a Linux distribution derived from Debian and composed mostly of free and open-source software. Ubuntu is officially released in multiple editions: Desktop, Server, and Core for Internet of things devices and robots. The operating system is developed by the British company Canonical and a community of other developers, under a meritocratic governance model. As of April 2024, the most-recent long-term support release is 24.04.

phpLDAPadmin is a web app for administering Lightweight Directory Access Protocol (LDAP) servers. It's written in the PHP programming language, and is licensed under the GNU General Public License. The application is available in 14 languages and supports UTF-8 encoded directory strings.

Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.

libdvdcss is a free and open-source software library for accessing and unscrambling DVDs encrypted with the Content Scramble System (CSS). libdvdcss is part of the VideoLAN project and is used by VLC media player and other DVD player software packages, such as Ogle, xine-based players, and MPlayer.

rkhunter

rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories, wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems

<span class="mw-page-title-main">AppArmor</span> Linux kernel security module

AppArmor is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been partially included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

virt-manager Virtualisation software

virt-manager is a desktop virtual machine monitor primarily developed by Red Hat.

<span class="mw-page-title-main">Compiz</span> Compositing window manager for the X Window System

Compiz is a compositing window manager for the X Window System, using 3D graphics hardware to create fast compositing desktop effects for window management. Effects, such as a minimization animation or a cube workspace, are implemented as loadable plugins. Because it conforms to the ICCCM conventions, Compiz can be used as a substitute for the default Mutter or Metacity, when using GNOME Panel, or KWin in KDE Plasma Workspaces. Internally Compiz uses the OpenGL library as the interface to the graphics hardware.

Upstart is a discontinued event-based replacement for the traditional init daemon—the method by which several Unix-like computer operating systems perform tasks when the computer is started. It was written by Scott James Remnant, a former employee of Canonical Ltd. In 2014, Upstart was placed in maintenance mode, and other init daemons, such as systemd, were recommended in place of Upstart. Ubuntu moved away from Upstart with the release of version 15.04 in favor of migrating to systemd. As of June 2024, there have been no updates released for Upstart since September 2014.

OtherOS is a feature of early versions of the PlayStation 3 video game console, allowing user installed software, such as Linux or FreeBSD. The feature was removed since system firmware update 3.21, released on April 1, 2010.

The Red Hat Kickstart installation method is used by Fedora, Red Hat Enterprise Linux and related Linux distributions to automatically perform unattended operating system installation and configuration. Red Hat publishes Cobbler as a tool to automate the Kickstart configuration process.

<span class="mw-page-title-main">RPM Package Manager</span> Package management system

RPM Package Manager (RPM) is a free and open-source package management system. The name RPM refers to the .rpm file format and the package manager program itself. RPM was intended primarily for Linux distributions; the file format is the baseline package format of the Linux Standard Base.

<span class="mw-page-title-main">Plymouth (software)</span> Graphical boot software for Linux

Plymouth is an application which provides a graphical boot experience for Linux. Plymouth supports animations using Direct Rendering Manager (DRM) and the KMS driver. Plymouth is bundled with an initial ramdisk which allows it to run before the file system is mounted. Some sources claim that Plymouth is named after Plymouth Rock, symbolizing the program's role as the first thing a user sees, but this has not been confirmed in any official capacity.

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

A delta update is a software update that requires the user to download only those parts of the software's code that are new, or have been changed from their previous state, in contrast to having to download the entire program. The use of delta updates can save significant amounts of time and computing bandwidth. The name "delta" derives from the mathematical science use of the Greek letter delta, Δ or δ to denote change.

<span class="mw-page-title-main">Zim (software)</span> Personal wiki software written in Python

Zim is a graphical text editor designed to maintain a collection of locally stored wiki-pages, a personal wiki. It works as a personal knowledge base and note-taking software application that operates on text files using markdown. Each wiki-page can contain things like text with simple formatting, links to other pages, attachments, and images. Additional plugins, such as an equation editor and spell-checker, are also available. The wiki-pages are stored in a folder structure in plain text files with wiki formatting. Zim can be used with the Getting Things Done method.

dracut (software) Software to automate the Linux boot process

Dracut is a set of tools that provide enhanced functionality for automating the Linux boot process. The tool named dracut is used to create a Linux boot image (initramfs) by copying tools and files from an installed system and combining it with the Dracut framework, which is usually found in /usr/lib/dracut/modules.d.

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

References

  1. "Downloads OSSEC". OSSEC. Retrieved 2017-10-19. OSSEC for Debian Based systems
  2. "Downloads OSSEC". OSSEC. Retrieved 2017-10-29. OSSEC for RHEL/Fedora Based systems
  3. "ossec-hids". openSUSE OBS. Retrieved 2024-08-11. An Open Source Host-based Intrusion Detection System
  4. "Samhain". Ubuntu. Retrieved 2017-04-19. Samhain in the Ubuntu Repositories
  5. "Samhain". openSUSE OBS. Retrieved 2024-08-11. File integrity and host-based IDS
  6. Last
  7. "Snort". Ubuntu. Retrieved 2017-04-19. Snort in the Ubuntu Repositories
  8. "Snort". Cisco Systems. Retrieved 2017-05-31. Snort in the CentOS Repositories
  9. "ChkRootkit". Ubuntu. Retrieved 2017-04-19. ChkRootkit in the Ubuntu Repositories
  10. lastlog, wtmp, utmp, wtmpx
  11. "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the Ubuntu Repositories
  12. "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the CentOS Repositories
  13. "unhide". debian. Retrieved 2017-04-17.unhide is notable because it's part of Debian and Fedora
  14. "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the Ubuntu Repositories
  15. "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the CentOS Repositories
  16. "Logwatch". debian. Retrieved 2017-04-17. Logwatch is notable because it's part of Debian and Fedora
  17. "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the Ubuntu Repositories
  18. "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the CentOS Repositories
  19. "Logcheck". debian. Retrieved 2017-04-17. Logcheck is notable because it's part of Debian and Fedora
  20. "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the Ubuntu Repositories
  21. "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the CentOS Repositories
  22. "Epylog". debian. Retrieved 2017-04-17. Epylog is notable because it's part of Debian and Fedora
  23. "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the Ubuntu Repositories
  24. "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the CentOS Repositories
  25. "SWATCH". debian. Retrieved 2017-04-17. SWATCH is notable because it's part of Debian and Fedora
  26. "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the Ubuntu Repositories
  27. "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the CentOS Repositories
  28. "Sagan". Ubuntu. Retrieved 2017-04-19. Sagan in the Ubuntu Repositories
  29. "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the Ubuntu Repositories
  30. "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the CentOS Repositories
  31. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
  32. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the CentOS Repositories
  33. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
  34. Last updated
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.