nabou - advanced host intrusion detection system
Nabou is an advanced host intrusion detection system(IDS). It can detect changes on files and directories, suid/sgid files, user accounts, user cronjobs, listening ports(tcp and udp) and weird processes.
If a file (or one of the other above mentioned things) has changed/added/removed in any way, it will inform you by email(if you prefer that).
Nabou allows you to define your own custom checks using inline scriptlets (supported by the check_files and check_proc modes).
Nabou runs in different modes, which must be configured in it's configuration file. Nabou can, of course, run multiple modes during one run.
the most important mode. changes to files and/or directories will be detected. Nabou can check for all available file attributes such as ownership, size and so on. And it can checksum the file content, which allows it to detect if the file content has been changed. Even if only one byte changes, nabou will detect it. You need to specify which files/directories are to be monitored by nabou.
this mode causes nabou to look for suid and sgid files on your system. It keeps track of them in the same way as the check_files mode works. This mode operates on the whole filesystem (i.e.: "/"), which is not configurable for security purposes.
this is not really a check mode, it simply informs you about user accounts with uid or gid == 0 (zero).
in this mode nabou keeps track of your unix user accounts. nabou informs you about new accounts or changed/removed accounts.
in this mode nabou monitors the crontab entries for all users. If a crontab entry changes in any way, you will be informed.
this causes nabou to look for listening ports (as marked in netstat -a with »LISTEN«) and the process which has opened the port as well as the user under which it runs. It will inform you about new listening ports, as well about all changes on known listening ports.
this is not really a mode on it's own. If you turn it on, nabou will inform you about disk usage changes (+/- in percent, which is configurable then) on all monitored directories.
this mode causes nabou to look for weird processes. This is the most complex mode (from the configuratioin point of view) and should only run allone. A separate config file for process monitoring is highly recommended. The check_proc mode is able to run as a daemon (the -D flag, see below).
See nabourc for details on configuring each mode and it's parameters, if any. All mode stuff must be configured from the configfile. There is no way to choose a particular mode from the commandline. But you can use the IFDEF pre-processor feature, which allows you to set a variable on the commandline (--def), which triggers the pre-processor. See the section PRE PROCESSOR.
You should run nabou on a regular basis from a cronjob. You can also run multiple instances of nabou, i.e. one instance for process monitoring, another one for port monitoring and last, another one for filesystem monitoring.
Nabou stores all information in DBM databases. It's default behavior is to use RSA public key crypto for securing the databases. This requires user action if a database needs to be updated (i.e. if legal stuff has been changed by root), but allows nabou still to read the database and thus, to notice changes.
Of course you can turn this of, which causes nabou to update the database after each completed check. But this is not recommended. See the SECURITY section for more details.
See more detailed description in the section OPERATE NABOU later in this manual page.
Use another config file than the default one in /etc/nabourc.
Initialize the nabou database.
Reset the nabou database.
Dump the contents of a nabou database file to STDOUT in plain text. If you specify one or more filenames on the commandline, then only those files entries will be printed.
Usefull in compination with --dump. Causes an unformatted dump.
Update database entry(s) for file, ... or for all files of no files are specified.
Run in daemon mode, only used by proc monitoring.
Generate a public/private keypair for database encryption. The public key will be password protected.
Causes nabou only to show changed items. It will operate silently, if nothing has changed.
Show a short description of available commandline options.
Show the version number and exit.
Before you can install nabou as a daily cronjob, you need to run it once with the -i or --init commandline flag. This causes nabou to initialize it's databases based on your configuration.
nabou --init --config /root/.nabourc
Please note, that the output of the initial run of nabou can become very large! You may redirect this output to a file:
nabou --init --config /root/.nabourc > init-log
nabou will ask you for a passphrase if the
If you are using a nabou instance for process-monitoring only as demonstrated by the sample "psrc" supplied with the package, then the options -i or -r are redundant.
If the --reset or --init(or -i/-r) flag is supplied, nabou will not mail out a report even if usemail is turned on.
Now you are ready to install it as a daily cronjob. An example:
30 0 * * * /root/bin/nabou --config /root/.nabourc > /dev/null 2>&1
This crontab entry runs nabou every day at 00:30.
There is another commandline option which you can use to re- initialize it's database: -r or --reset. But be very careful with this option.
If you only want to update the database entry for one file, you can use the option -u or --update, which requires a filename as argument.
If you omit a filename for --update then nabou will perform a normal run based on the current config, which is the same as running nabou without any options (beside --config).
You can also run multiple instances of nabou, but better use different databases for every instance. If every instance should use some identical config options, you might make use of the include statement mentioned in NabouConfig.
You can run nabou with the -q or --quiet flag, which causes it only to report changes. In other words, if nothing changed, no report will be sent/printed.
You can view the contents of a nabou database by using the command line flag -d or --dump. This flag requires the database name as argument and dumps out a comma separated list, one line for one file. The meanings of each field are described in the file dbformat.txt. The dump will be a little bit formatted, time values will be converted to human-readable values (just as the date command tells you), uid and gid values will be converted to their representations (i.e. 0 = root and so on).
If you prefer to get the raw contents unformatted then you can use the flag --raw in addition to the --dump or -d flag.
/etc/nabourc /sbin/nabou /usr/doc/nabou-VERSION/*