Lightweight Intrusion Detection System (LIDS)

This script provides a simple way to monitor critical system files for unauthorized changes. It creates a baseline of SHA-256 hashes for sensitive files and alerts you if any file is modified, moved, or deleted.

The Script

#!/bin/bash

# LIDS - Lightweight Intrusion Detection System
# Monitors critical files for unauthorized changes.

# Configuration
FILES_TO_WATCH=(
    "/etc/passwd"
    "/etc/shadow"
    "/etc/group"
    "/etc/sudoers"
    "/etc/ssh/sshd_config"
    "/etc/crontab"
    "/usr/bin/login"
)
DB_FILE="$HOME/.lids_db"
LOG_FILE="/var/log/lids_audit.log"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Check for root
if [[ $EUID -ne 0 ]]; then
   echo -e "${RED}Error: This script must be run as root.${NC}"
   exit 1
fi

# Initialize database
init_db() {
    echo -e "${YELLOW}Initializing baseline database...${NC}"
    > "$DB_FILE"
    for file in "${FILES_TO_WATCH[@]}"; do
        if [[ -f "$file" ]]; then
            sha256sum "$file" >> "$DB_FILE"
            echo "Indexed: $file"
        else
            echo -e "${RED}Warning: File $file not found, skipping.${NC}"
        fi
    done
    chmod 600 "$DB_FILE"
    echo -e "${GREEN}Database initialized successfully at $DB_FILE${NC}"
}

# Audit system
check_files() {
    if [[ ! -f "$DB_FILE" ]]; then
        echo -e "${RED}Error: Database not found. Run with --init first.${NC}"
        exit 1
    fi

    echo -e "${YELLOW}Starting system audit...${NC}"
    CHANGE_DETECTED=0

    while read -r line; do
        stored_hash=$(echo "$line" | awk '{print $1}')
        file_path=$(echo "$line" | awk '{print $2}')

        if [[ ! -f "$file_path" ]]; then
            echo -e "${RED}[!] DELETED: $file_path${NC}" | tee -a "$LOG_FILE"
            CHANGE_DETECTED=1
            continue
        fi

        current_hash=$(sha256sum "$file_path" | awk '{print $1}')

        if [[ "$current_hash" != "$stored_hash" ]]; then
            echo -e "${RED}[!] MODIFIED: $file_path${NC}" | tee -a "$LOG_FILE"
            echo "    Previous: $stored_hash" | tee -a "$LOG_FILE"
            echo "    Current:  $current_hash" | tee -a "$LOG_FILE"
            CHANGE_DETECTED=1
        fi
    done < "$DB_FILE"

    if [[ $CHANGE_DETECTED -eq 0 ]]; then
        echo -e "${GREEN}No changes detected. System is clean.${NC}"
    else
        echo -e "${RED}Warning: System integrity compromise detected! Check $LOG_FILE for details.${NC}"
    fi
}

# Usage
case "$1" in
    --init)
        init_db
        ;;
    --check)
        check_files
        ;;
    *)
        echo "Usage: $0 {--init|--check}"
        echo "  --init:  Create the baseline hash database"
        echo "  --check: Compare current files with the baseline"
        exit 1
        ;;
esac

How to Use

1. Create the baseline: Run the script with --init to store the hashes of your current, clean configuration.

   sudo ./lids.sh --init

2. Run regular checks: Set up a cron job to run the script with --check every hour or day.

   sudo ./lids.sh --check

3. Automation: You can easily extend this script to send an email or Slack notification whenever a change is detected.

Why use this?

Attackers often modify files like /etc/passwd to add backdoors or /etc/shadow to change passwords. Even a slight modification will result in a completely different SHA-256 hash, making this a very effective way to detect tampering on a static system.