Bacula as a Host Based Intrusion Detection System

While most people consider Bacula to be a great network backup system, it is not the first thing that comes to mind when discussing Intrusion Detection Systems. However, Bacula’s File Verification feature is very powerful and is a better solution for businesses, especially enterprises that have many workstations and want to centralize the administration and configuration.

Host Based Intrusion Detection Systems monitor the important system files and note when these are changed, as this is one of the warning signs that the host may have been compromised by a virus, rootkit, or other malware. Unlike traditional Host Based IDS system like TripWire, who store their signature databases locally, Bacula stores its file signature database on a remote SQL Server, and the backup/verify process is entirely controlled by the remote ‘Director’. This means that the IDS client (known as the ‘File Daemon’ in a Bacula setup) is more resistant to being tampered with or disabled. If it is disabled, the centralized ‘Director’ will email the administrator a Failure Report, and can be configured to take specific actions.

Bacula breaks the backup and file integrity checking process into multiple services, that can be spread over multiple machines, or run all on a single server. The most important part of the system is the ‘Director’, it is responsible for coordinating and scheduling. All of the records for the files, signatures, jobs, schedules, volumes, media and configuration are stored in the ‘Catalog’, which is an SQL database. All of the file contents that are backed up are sent to the ‘Storage Daemon’, which can write them to File, CD/DVD, Tape, Auto Changer, or any other media you wish to use. It also provides the pool functionality, to maintain multiple copies of each file, while recycling the media when it’s content gets old, to ensure the longest retention period possible with the least amount of media. The last component is the ‘File Daemon’, also know as the Client, this is a small program that runs on each host (there are Linux, FreeBSD, Windows (including VSS), and Mac Versions), and takes requests from the ‘Director’ and then sends the files to backup and signatures to the ‘Storage Daemon’. It supports both MD5 and SHA1 hashing algorithms, and SSL/TLS transport encryption for the communications between the Client and Servers.

Bacula does not require any specific hardware, and can run on most of the operating systems that are supported by the client. However, you will need some type of storage medium, this can be a Disk, a Disk Array, a NAS/SAN, a CD/DVD Burner, or a Tape Drive/Changer. Only certain tapes drives and changers are supported (See the HTML Manual for a list). However, this means that the system requirements are very minimal, and only depend on the number of machines and amount of data you need to backup. If you are using Bacula solely as an IDS, then only the file signature database needs to be stored, and you will not require any special media or drives.

Bacula is open source software, so there is no licensing to purchase. A basic x86 server with a moderately sized hard drive, and an open source operating system such as FreeBSD are all that would be required to run a Bacula ‘Director’, ‘Storage Daemon’, and SQLite backed ‘Catalog’. Basic configuration for a 10 host environment with only the Host Based IDS to very the file signatures daily, would take a moderately experienced unix administrator a mere afternoon to setup, and it can be remotely administered from a windows or linux workstation with the wxConsole application.

Like any system, there are pros and cons to using Bacula as your Host Based IDS. The main problem with any Host Based IDS is that if the host is compromised, the ISD is no longer trustworthy. If for example, the compromise involves altering the kernel, it could easily cause the IDS to fail to detect any changed, and not alert you to the compromise. The only solution in this situation is using a LiveCD to verify the authenticity of the system files, however this can be cumbersome if you have many hosts, or if your system files change on a regular basis, as you would need to recreate the LiveCD. The biggest pro for the Bacula based system, is that it is entirely managed from the ‘Director’ server, and can be managed remotely. The list of clients to monitor, which files to check, how often to check them, running manual scans, can all be done remotely. Reports are emailed to you, and won’t stop because one of the hosts is compromised, you will still get your alerts, so you do not have to watch for the lack of an email confirmation that everything is ok. Becula also has the additional advantage of providing your backup solution as well, killing two birds with a free stone. Bacula is a very mature open source project that is actively developed, it is not like many smaller open source projects that start up, never reach a stable code base, and then suddenly stop development because of the loss of a single developer. Bacula is used and backed by many large enterprises, so you can count on it being around for a long time.

In the end, Bacula can act as a very good Host Based IDS but it is not a network IDS or IPS, it cannot detect or block suspicious traffic on the network, however it provides a much easier to manage solution when you have a large number of hosts, running different operating systems, to monitor. The SQL based ‘Catalog’ also allows you to build custom reporting tools to extract data from the database, such as differences between each host, and duplicate files. Overall Bacula makes a great Host Based IDS for the business that requires centralized management, reporting and administration in a mixed-host environment.