File Integrity Checker Policy

File Integrity Checker Policy

Rocco Gagliardi
by Rocco Gagliardi
time to read: 6 minutes

Do you trust your OS? How to make sure that someone hasn’t replaced some system files? A file integrity checker (FIC) creates a trusted database of files; once created, it can be used to verify the integrity of the files.

Problem

Developing a policy for a FIC is, as always, a compromise between usability and security. If you are monitoring all files present in the system, you will receive a lot of false positives: in each system, a large number of files is temporary or must be modified. Alerting when these files are changed may not really be interesting, depending on the file and the change. Example: Given a running system with auditing enabled, a saved time ordered sequence of system events (OS logfile) cannot remain static but at the same time the size of the logfile cannot decrease. You can rotate it (close the file and create a new one), but the audit daemon is not designed to remove events from the file. In this case, an alert is useful only if the FIC notes a negative delta in logfile size (FIC limitation: this still does not assure that the logfile was not externally manipulated and had records removed: the FIC just calculates the delta between the logfile size of current and the previous run. If an intruder removes 30kb of data and the logfile has growth 30Mb since the last run, the delta is 30Mb-30kb, is positive and the alert isn’t set off. To assure that the sequence of events cannot be manipulated, different mechanism must be implemented.)

Creating an efficient and effective policy for FIC monitoring is a challenge. In this Labs, such a policy that has been deployed is being looked at. The policy is a basis and can be adapted to specific needs while it maintains usability as well as security. In addition to that, it’s future proof.

The Challenger: Red Hat Enterprise Linux

The Policy

After some testing and tuneups, the following policy was developed and implemented:

Directory/File Value
=/boot$ Full
/bin Full
/sbin Full
/usr/bin Full
/usr/sbin Full
/usr/local/bin Full
/usr/local/sbin Full
/lib Full
/usr/local/lib Full
/etc VarDir
/etc/mtab$ n+p+u
/etc/cron\.daily$ VarDir
/etc/adjtime$ VarFile
/etc/resolv\.conf$ VarFile
/var/backups$ VarDir
/var/backups/lock$ VarDir
/var/backups/log$ VarDir
/var/backups/run$ VarDir
/var/backups/tmp$ VarDir
/var/run/sudo/[a-z0-9]+$ VarDir
/var/run/sshd.pid$ VarFile
/var/log/ Log
/dev Full-m
/tmp$ OwnerMode+i
!/tmp/ssh-[a-zA-Z0-9]{10}$
!/tmp/ssh-[a-zA-Z0-9]{10}/agent.[0-9]{1,5}$
!/dev/xconsole
!/dev/pts

Variables:

Aliases Description Comment
Full p+i+n+u+g+s+b+m+c+Checksum
VarFile p+u+g+n
VarDir p+u+g+n+i
Log p+u+g+n+S Logs grow in size; this should only be used for logs that are not rotated
OwnerMode p+u+g

Primitives:

Primitive Description
p permission
i inode
n number of links
u user
g group
s size
b block count
m mtime
a atime
c ctime
S check for growing size
E Empty group
md5, sha1, rmd160, tiger, haval, gost,crc32 checksums

The language follows the AIDE standard but the content can be adapted for other FICs.

Summary

File integrity checkers are important components in a security framework. Developing, tuning and maintain an effective monitoring policy can be complex and time expensive. This policy has been used in large RHEL-server environment and proved to be a good starting point for a solid File Integrity Checker.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

You need support in such a project?

Our experts will get in contact with you!

×
Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi

auditd

auditd

Rocco Gagliardi

Security Frameworks

Security Frameworks

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here