Functional Overview¶
TinyIDS is a distributed Intrusion Detection System (IDS) for Unix systems.
How It Works¶
TinyIDS consists of a server and a client. The client, tinyids, collects information from the local system by running its collector backends. The collected information may include anything, from file contents to file metadata or even the output of system commands. The client passes all this data through a hashing algorithm and a unique checksum (hash) is calculated. This hash is then sent to one or more TinyIDS servers (tinyidsd), where it is compared with a hash that had been previously stored in the databases of those remote servers for this specific client. Each server sends a response back to the client indicating the result of the hash comparison.
If the hashes do not match, that means that the system on which the client runs has changed, either by its administrator or by an intruder.
Management of the Remotely Stored Data¶
The TinyIDS Protocol supports the remote management of the data that is stored in the database of a TinyIDS server. A client can perform the following operations on a TinyIDS server across the network:
- Store a new hash.
- Update an already stored hash.
- Delete an already stored hash.
All these operations require that the client is authenticated and that's why all the above operations require the use of a passphrase.
The TinyIDS Protocol also supports the management of the client's passphrase that is stored at the remote TinyIDS server. Changing the passphrase remotely is possible. However, the current revision of the TinyIDS protocol does not provide a way to reset the passphrase. This is only possible by managing the TinyIDS server's database.
Security¶
TinyIDS has been developed with security in mind:
- Communication between the client and the server can be encrypted using public key infrastructure (PKI). RSA keys are supported.
- It is not possible for a client to modify another client's data that is stored in the TinyIDS server database.
- A client can manage the data stored in the database of a TinyIDS server only after successful authentication with the server.
What TinyIDS Can Do¶
TinyIDS can tell whether a system has changed or not.
What TinyIDS Cannot Do¶
Although TinyIDS can be very accurate in informing you whether any changes have been made to a running system or not, it cannot tell what exactly has changed. At least for now, this is not one of the goals of the TinyIDS Project.