Comparison of host-based intrusion detection system components and systems.
As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.
Package | Updated | Ubuntu Official Repositories | CentOS Official Repositories | File | Network | Logs | Config | Notes |
---|---|---|---|---|---|---|---|---|
OSSEC | 2022 | No [1] | No [2] | Yes | Yes | Yes | Yes | |
Wazuh | 2022 | No | No | Yes | Yes | Yes | Yes | |
Samhain | 2021 | Yes [3] | No | Yes | No | Partial [4] | ||
Snort | 2018 | Yes [5] | No [6] | No | Yes | No | ||
chkrootkit | 2023 | Yes [7] | No | Yes | No | Partial [8] | ||
rkhunter | 2018 | Yes [9] | Yes [10] | Yes | No | No | Yes | |
unhide [11] | 2012 | Yes [12] | Yes [13] | No | No | No | proc ps compare | |
Sguil | 2017 | No | No | No | Yes | No | ||
Logwatch [14] | 2017 | Yes [15] | Yes [16] | No | No | Yes | ||
Logcheck [17] | 2017 | Yes [18] | Yes [19] | No | No | Yes | ||
Epylog [20] | 2014 | Yes [21] | Yes [22] | No | No | Yes | ||
SWATCH [23] | 2015 | Yes [24] | Yes [25] | No | No | Yes | ||
sagan | 2021 | Yes [26] | No | No | No | Yes | ||
aide | 2023 | Yes [27] | Yes [28] | Yes | No | No | ||
tripwire | 2018 | Yes [29] | Yes [30] | Yes | No | No | ||
Tiger | 2018 | Yes [31] | No | Yes | No | No | Yes | 3/42 modules are Debian specific. |
Package | Year [32] | Linux | Windows | File | Network | Logs | Config | Notes |
---|---|---|---|---|---|---|---|---|
Lacework | 2018 | Yes | No | Yes | Yes | Yes | Yes | |
Verisys | 2018 | Yes | Yes | Yes | Yes | Yes | ||
Nessus | 2017 | Yes | Yes | Yes | ||||
Atomicorp | 2019 | Yes | Yes | Yes | Yes | Yes | Yes | Commercially enhanced version of OSSEC |
Spartan | 2021 | No | Yes | Yes | Yes | Yes | Yes | Websocket API, IP to Country mapping, DynDNS Integration |
A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices and personal computers to powerful supercomputers.
Ubuntu is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in multiple editions: Desktop, Server, and Core for Internet of things devices and robots. The operating system is developed by the British company Canonical, and a community of other developers, under a meritocratic governance model. As of October 2023, the most-recent release is 23.10, and the current long-term support release is 22.04.
Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.
CPython is the reference implementation of the Python programming language. Written in C and Python, CPython is the default and most widely used implementation of the Python language.
rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories, wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems
Compiz is a compositing window manager for the X Window System, using 3D graphics hardware to create fast compositing desktop effects for window management. Effects, such as a minimization animation or a cube workspace, are implemented as loadable plugins. Because it conforms to the ICCCM conventions, Compiz can be used as a substitute for the default Mutter or Metacity, when using GNOME Panel, or KWin in KDE Plasma Workspaces. Internally Compiz uses the OpenGL library as the interface to the graphics hardware.
Upstart is a discontinued event-based replacement for the traditional init daemon—the method by which several Unix-like computer operating systems perform tasks when the computer is started. It was written by Scott James Remnant, a former employee of Canonical Ltd. In 2014, Upstart was placed in maintenance mode, and other init daemons, such as systemd, were recommended in place of Upstart. Ubuntu moved away from Upstart with the release of version 15.04 in favor of migrating to systemd. As of March 2023, there have been no updates released for Upstart since September 2014.
The Advanced Intrusion Detection Environment (AIDE) was initially developed as a free replacement for Tripwire licensed under the terms of the GNU General Public License (GPL).
Plymouth is an application which provides a graphical boot experience for Linux. Plymouth supports animations using Direct Rendering Manager (DRM) and the KMS driver. Plymouth is bundled with an initial ramdisk which allows it to run before the file system is mounted. Some sources claim that Plymouth is named after Plymouth Rock, symbolizing the program's role as the first thing a user sees, but this has not been confirmed in any official capacity.
Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.
A delta update is a software update that requires the user to download only those parts of the software's code that are new, or have been changed from their previous state, in contrast to having to download the entire program. The use of delta updates can save significant amounts of time and computing bandwidth. The name "delta" derives from the mathematical science use of the Greek letter delta, Δ or δ to denote change.
Zim is a graphical text editor designed to maintain a collection of locally stored wiki-pages, a personal wiki. It works as a personal knowledge base and note-taking software application that operates on text files using markdown. Each wiki-page can contain things like text with simple formatting, links to other pages, attachments, and images. Additional plugins, such as an equation editor and spell-checker, are also available. The wiki-pages are stored in a folder structure in plain text files with wiki formatting. Zim can be used with the Getting Things Done method.
Dracut is a set of tools that provide enhanced functionality for automating the Linux boot process. The tool named dracut is used to create a Linux boot image (initramfs) by copying tools and files from an installed system and combining it with the Dracut framework, which is usually found in /usr/lib/dracut/modules.d.
Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it describes a software edition that is supported for months or years longer than the software's standard edition.
X2Go is open source remote desktop software for Linux that uses a modified NX 3 protocol. X2Go gives remote access to a Linux system's graphical user interface. It can also be used to access Windows systems through a proxy.
firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".
Zstandard is a lossless data compression algorithm developed by Yann Collet at Facebook. Zstd is the corresponding reference implementation in C, released as open-source software on 31 August 2016.
vnStat is a network utility for the Linux operating system. It uses a command line interface. vnStat command is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s) but is not a packet sniffer. The traffic information is analyzed from the proc filesystem. That way vnStat can be used even without root permissions.
The Linux kernel can run on a variety of devices made by Apple, including devices where the unlocking of the bootloader is not possible with an official procedure, such as iPhones and iPads.