Enhancing Data Understanding
Rocco Gagliardi
Do you trust your OS? How to make sure that someone hasn’t replaced some system files? A file integrity checker (FIC) creates a trusted database of files; once created, it can be used to verify the integrity of the files.
Developing a policy for a FIC is, as always, a compromise between usability and security. If you are monitoring all files present in the system, you will receive a lot of false positives: in each system, a large number of files is temporary or must be modified. Alerting when these files are changed may not really be interesting, depending on the file and the change. Example: Given a running system with auditing enabled, a saved time ordered sequence of system events (OS logfile) cannot remain static but at the same time the size of the logfile cannot decrease. You can rotate it (close the file and create a new one), but the audit daemon is not designed to remove events from the file. In this case, an alert is useful only if the FIC notes a negative delta in logfile size (FIC limitation: this still does not assure that the logfile was not externally manipulated and had records removed: the FIC just calculates the delta between the logfile size of current and the previous run. If an intruder removes 30kb of data and the logfile has growth 30Mb since the last run, the delta is 30Mb-30kb, is positive and the alert isn’t set off. To assure that the sequence of events cannot be manipulated, different mechanism must be implemented.)
Creating an efficient and effective policy for FIC monitoring is a challenge. In this Labs, such a policy that has been deployed is being looked at. The policy is a basis and can be adapted to specific needs while it maintains usability as well as security. In addition to that, it’s future proof.
After some testing and tuneups, the following policy was developed and implemented:
Directory/File | Value |
---|---|
=/boot$ | Full |
/bin | Full |
/sbin | Full |
/usr/bin | Full |
/usr/sbin | Full |
/usr/local/bin | Full |
/usr/local/sbin | Full |
/lib | Full |
/usr/local/lib | Full |
/etc | VarDir |
/etc/mtab$ | n+p+u |
/etc/cron\.daily$ | VarDir |
/etc/adjtime$ | VarFile |
/etc/resolv\.conf$ | VarFile |
/var/backups$ | VarDir |
/var/backups/lock$ | VarDir |
/var/backups/log$ | VarDir |
/var/backups/run$ | VarDir |
/var/backups/tmp$ | VarDir |
/var/run/sudo/[a-z0-9]+$ | VarDir |
/var/run/sshd.pid$ | VarFile |
/var/log/ | Log |
/dev | Full-m |
/tmp$ | OwnerMode+i |
!/tmp/ssh-[a-zA-Z0-9]{10}$ | |
!/tmp/ssh-[a-zA-Z0-9]{10}/agent.[0-9]{1,5}$ | |
!/dev/xconsole | |
!/dev/pts |
Aliases | Description | Comment |
---|---|---|
Full | p+i+n+u+g+s+b+m+c+Checksum | |
VarFile | p+u+g+n | |
VarDir | p+u+g+n+i | |
Log | p+u+g+n+S | Logs grow in size; this should only be used for logs that are not rotated |
OwnerMode | p+u+g |
Primitive | Description |
---|---|
p | permission |
i | inode |
n | number of links |
u | user |
g | group |
s | size |
b | block count |
m | mtime |
a | atime |
c | ctime |
S | check for growing size |
E | Empty group |
md5, sha1, rmd160, tiger, haval, gost,crc32 | checksums |
The language follows the AIDE standard but the content can be adapted for other FICs.
File integrity checkers are important components in a security framework. Developing, tuning and maintain an effective monitoring policy can be complex and time expensive. This policy has been used in large RHEL-server environment and proved to be a good starting point for a solid File Integrity Checker.
Our experts will get in contact with you!
Rocco Gagliardi
Rocco Gagliardi
Rocco Gagliardi
Rocco Gagliardi
Our experts will get in contact with you!