ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha

ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha

Post by Craig H. Rowlan » Sat, 27 Mar 1999 04:00:00



Hello,

After a long delay I'm happy to announce the alpha release of a new
security tool called HostSentry. HostSentry is part of the Abacus Project
suite of security tools and is designed to function as a Login Anomaly
Detector. The tool is in early alpha phase and while some parts may be
buggy or incomplete, it is stable enough that it shouldn't cause any harm
to a host.

A few points about the tool:

1) Please read all the docs.
2) Some signature modules are not fully implemented.
3) Automated response actions are not implemented yet.
4) It has only been tested under RedHat 5.2 and OpenBSD. Early alpha
testers have also run it under Slackware and it should work on most Unix
systems (I hope).
5) There are some limitations for *BSD variants. Read the docs (and
README.wtmp) for details.
6) The tool is written in 100% Python and you'll want to have the latest
version (http://www.python.org).
7) It's free, but please read the license.

You can get the tool from:

http://www.psionic.com/abacus/hostsentry

You can read about the other tools here:

http://www.psionic.com/abacus

You can subscribe to the mailing list by sending a subscribe message to:



What the tool actually does:

HostSentry monitors system login accounting records in real-time
(wtmp/utmp). These records are used to build a dynamic database of active
users and run a series of signature modules during the login and logout
phases. The signature modules are pluggable and easily activated or
deactivated by the admin. An example wrapper is included to allow
administrators to add new signatures. The current list of signatures
includes:

moduleLoginLogout - Generic audit trail of all user login and logouts.

moduleFirstLogin - Alerts administrators if this user is logging in for
the first time.

moduleForeignDomain - A login was detected from a domain not listed in the
allowed domains file.

moduleRhostCheck - A user's .rhosts file contains a wildcard or other
dangerous modification.

moduleHistoryTruncated - A user's .history file is missing, truncated to
zero bytes, or symlinked (i.e. /dev/null)

moduleOddDirnames - A user's directory contains suspicious directory names
on logout (" ..", "...", etc.)

moduleMultipleLogins - A single username has multiple concurrent logins
from different domains.

moduleOddLoginTime - A user is logging in at an odd hour for their usage
pattern (not implemented yet).

moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot
be found (entry possibly removed) (not implemented yet).

moduleHistorySuspicious - The user's history file contains suspicious
commands (not implemented yet).

moduleNetworkDaemon - The user logged out but left a listening network
socket operating (private web server, IRC bot, etc.) (not implemented
yet).

moduleFileExists - A file was found in the user's directory that is listed
in the banned/monitored list of the site (not implemented yet).

Other modules to be determined as I find time to implement them. The
modules that are not implemented yet will be done shortly once I start
getting more people testing and can work out the major bugs.

I don't want to make this too long, so if you have any more questions
please look at the webpage and read the docs.

Any comments on the tool are welcome.

Thank you,

-- Craig

http://www.psionic.com

 
 
 

1. ANNOUNCE: SCons 0.02 now available

I'm pleased to announce that version 0.02 of SCons has been released and
is available for download from the SCons web site:

        http://www.scons.org/

Or through the download link at the SCons project page at SourceForge:

        http://sourceforge.net/projects/scons/

RPM and Debian packages and a Win32 installer are all available, in
addition to the traditional .tar.gz files.

SCons is a software construction tool (build tool, make tool) written
in Python.  Its design is based on the design which won the Software
Carpentry build tool competition in August 2000 (in turn derived from
the Perl-based Cons build tool).

Distinctive features of SCons include:

  - configuration files are Python scripts, allowing the full use of a
    real scripting language to solve build problems
  - a modular architecture allows the SCons Build Engine to be
    embedded in other Python software
  - a global view of all dependencies; no multiple passes to get
    everything built
  - the ability to scan files for implicit dependencies (#include files);
  - improved parallel build (-j) support
  - use of MD5 signatures to decide if a file has changed
  - easily extensible through user-defined Builder and Scanner objects

An scons-users mailing list has been created for those interested in
getting started using SCons.  You can subscribe at:

        http://lists.sourceforge.net/lists/listinfo/scons-users

Alternatively, we invite you to subscribe to the low-volume
scons-announce mailing list to receive notification when new versions of
SCons become available:

        http://lists.sourceforge.net/lists/listinfo/scons-announce

Special thanks to Charles Crain and Anthony Roach for their
contributions to this release.

On behalf of the SCons team,

        --SK

##########################################################################

# PLEASE remember a short description of the software and the LOCATION.  #
# This group is archived at http://stump.algebra.com/~cola/              #
##########################################################################

2. "Starting lpd..." failure at boot/start-up

3. Announcing VERACITY: New security/data-integrity tool.

4. Multiplayer games

5. ANNOUNCE: new security tools: skey, ssr, windes.

6. Can some kind person email me a tic?

7. xmp3player 0.02 - a Qt frontend for the splay MP3 player

8. DISKLESS BOOT HELP !!!!

9. Kernel 0.02+0.03 source anywhere ?

10. *** Looking for Linux 0.02 -- 5 oct. 1991 ***

11. Sound Recorder 0.02 available

12. Hercules driver for MGR 0.02 available.

13. ANNOUNCE: Iprobe: Alpha/Linux performance tool