An interesting area on the honeypot is the system logging and command history. Although it should be possible to piece together the attackers session from the packet traces on the intermediary bridge, a local copy of the command history can be important as some attackers will use encrypted communication if you allow them.
One of the first things an attacker will likely do after compromise is stop logging. They will wipe the logs, trojan syslogd, and unset the $HISTFILE or symbolically link /dev/null to the $HISTFILE. I could counter by recompiling syslogd to read a different configuration file but an advanced attacker could run strings on the binary to see what configuration file is read. There's a bash patch which will record shell history and forward keystrokes to syslogd. Another option would be a modified version of TTY Watcher which is a kernel module that captures keystrokes and sends them over a TCP connect ion. However, one of the simplest solutions I found is to recompile bash with $FOO in place of $HISTFILE. When the attacker (if, even) unsets $HISTFILE or modifies the .bash_history they are really a dummy file placed there to fool said attacker. $FOO will point to the correct history location and keep on logging. Also, make sure to not give the attacker other shells to use if you want to trojan bash. To recompile bash to log to a different location alter the following code in variables.c:
#*** OLD ***|
# name = bash_tilde_expand (posixly_correct ? "~/.sh_history" : "~/.bash_history");
# set_if_not ("HISTFILE", name);
# free (name);
#*** NEW ***
name = "/path/to/hidden/.somedir/.somefile"
set_if_not ("HISTFILE", name);
#HISTFILE should be something else by now, like FOO
name = 0;
For HIDS (Host IDS), I like AIDE (Advanced Intrusion Detection Environment). It is essentially Tripwire only better and is GPL. It will verify the integrity of files by saving a database of file attributes to a disc. After compromise it is then able to compare the database file attributes from the disc with the current files on disk which will show which files have been altered.
./aide --config=./aide.conf --init
Move the db files to the cdr temporary and after build an iso image:
mv aide.db.new /mnt/cdr-temp/aide/bin/aide.db
After a config on the cdr/aide config could look like this :
Mount the cdrom to check the db:
./aide --config=./aide.conf --check