ImSafe - Host Based Anomaly Detection Tool

ImSafe Immune Security Architecture by Laurent Eschenauer

Install Guid

1. The ImSafe GUI

You first need to be sure that you have a GTK of version >= 1.2.0
After unpacking the archive:

gzip -d imsafe.tar.gz
tar -xvf imsafe.tar

Execute the configure script:

./configure

You may want to specify where are your GTK libs by using the

--with-gtk-prefix=
--with-gtk-exec-prefix=

And to add the variable LD_LIBRARY_PATH in your system.

Now, just do

Make
Make install

And it should be OK.
If you have any error , please

• check that you have the last release
• check the FAQ
• check the Help forum here
• ask your question here

Now you can launch imsafe by typing.. you guessed... :)

imsafe




2. The ImSafe "sensor"

This program was coded quick and dirty upon strace-4.2, so if you have any problem, you should first check if you can install the real strace.
If you get ant problem please refer to the strace manual, docs, faqs, forums, etc... before asking any question here.
I'm NOT an strace expert :)

But I compiled this archive without any problem on my RedHat 6.2 and also a Sun Solaris system.

Just run the ./configure script then make.
I don't advise you to run make install since it will install the program as strace with all the man pages, etc....

I told you, it is quick and dirty but it WORKS !



3. The ImSafe linux kernel patch

Just update your kernel using the provided patch by typing this:
$cd /usr/src/linux
$patch -Np1 < path_to_patch/imsafe.patch

You should receive this message :

[root@localhost linux.test]# patch -p1 <../imsafe.patch

patching file `Documentation/Configure.help'
patching file `arch/i386/config.in'
patching file `arch/i386/kernel/entry.S'
patching file `arch/i386/kernel/process.c'
patching file `include/linux/immsec.h'
patching file `include/linux/sched.h'
patching file `kernel/Makefile'
patching file `kernel/fork.c'
patching file `kernel/immsec.c'


It seems everything went fine.
if it was not the case, just update manually using the provided separate files in the /sources directory.

Now you have to reconfigure:

$make xconfig

In the kernel hacking section, choose yes for IMSAFE_TRACING

Now recompile your kernel;

- make dep
- make zImage
- make modules
- etc... You should know how to compile a kernel no ?

Install your new kernel in /boot
I advise you to put it under another name like zImage.Imsafe and to create a new entry in your Lilo table sot that you can switch between your patched and classic kernel at boot time.
Just reboot your system and load the new kernel
The device is now present, you just have to create an entry in /dev

$cd /dev
$mknod imsensor c 127 0

Btw 127 is the MAJOR of this character (c) device.

Now you can access /dev/imsensor.


Have fun !