Overview
Managed Host Intrusion Detection (HIDS) is only available on Production and Enterprise plans.
HIDS Compliance Report
Aptible includes access to the HIDS compliance report at no charge for all shared stacks. The report is also available for Dedicated Stacks for an additional cost. Contact Aptible Support for more information.Methodology
Aptible collects HIDS events using OSSEC, a leading open-source intrusion detection system. Aptible’s security reporting platform ingests, and processes events generated by OSSEC in one of the following ways:- Automated review
- Bulk review
- Manual review
Review Process
The Aptible Security team uses the following review processes for intrusion detection.Automated Review
Aptible’s security reporting platform automatically reviews a certain number of events generated by OSSEC. Here are some examples of automated reviews:- Purely informational events, such as events indicating that OSSEC performed a periodic integrity check. Their sole purpose is to let them appear in the HIDS compliance report.
- Acceptable security events. For example, an automated script running as root using
sudo
: usingsudo
is technically a relevant security event, but if the user already has root privileges, it cannot result in privilege escalation, so that event is automatically approved.
Bulk Review
Aptible’s security reporting platform integrates with several other systems with which members of the Aptible Operations and Security teams interact. Aptible’s security reporting platform collects information from these different systems to determine whether the events generated by OSSEC can be approved without further review. Here are some notable examples of bulk-reviewed events:- When a successful SSH login occurs on an Aptible instance, Aptible’s monitoring determines whether the SSH login can be tied to an authorized Aptible Operations team member and, if so, prompts them via Slack to confirm that they did trigger this login. An alert is immediately escalated to the Aptible security team if no authorized team member is found or the team member takes too long to respond. Related IDS events will automatically be approved and flagged as bulk review when a login is approved.
- When a member of the Aptible Operations team deploys updated software via AWS OpsWorks to Aptible hosts, corresponding file integrity alerts are automatically approved in Aptible’s security reporting platform and flagged as bulk reviews.
Manual Review
The Aptible Security team manually reviews any security event that is neither reviewed automatically nor in bulk. Some examples of manually-reviewed events include:- Malware detection events. Malware detection is often racy and generates several false positives, which need to be manually reviewed by Aptible.
- Configuration changes that were not otherwise bulk-reviewed. For example, changes that result from nightly automated security updates.
List of Security Events
Security Events monitored by Aptible Host Intrusion Detection:CIS benchmark non-conformance
HIDS generates this event when Aptible’s monitoring detects an instance that does not conform to the CIS controls Aptible is currently targeting. These events are often triggered on older instances that still need configuring to follow Aptible’s latest security best practices. Aptible’s Security team remediates the underlying non-conformance by replacing or reconfiguring the instance, and the team uses the severity of the non-conformance to determine priority.File integrity change
HIDS generates this event when Aptible’s monitoring detects changes to a monitored file. These events are often the result of package updates, deployments, or the activity of Aptible operations team members and are reviewed accordingly.Other informational event
HIDS generates this event when Aptible’s monitoring detects an otherwise un-categorized informational event. These events are often auto-reviewed due to their informational nature, and the Aptible security team uses them for high-level reporting.Periodic rootkit check
Aptible performs a periodic scan for resident rootkits and other malware. HIDS generates this event every time the scan is performed. HIDS generates a rootkit check event alert if any potential infection is detected.Periodic system integrity check
Aptible performs a periodic system integrity check to scan for new files in monitored system directories and deleted files. HIDS generates this event every time the scan is performed. Among others, this scan covers/etc
, /bin
, /sbin
, /boot
, /usr/bin
, /usr/sbin
.
Note that Aptible also monitors changes to files under these directories in real-time. If they change, HIDS generates a file integrity alert.