JP Vossen on 4 Nov 2008 21:54:39 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] weird process? (file integrity monitoring)

> Date: Tue, 4 Nov 2008 20:44:24 -0500
> From: "Michael Lazin" <>
> Subject: Re: [PLUG] weird process?
> by the way, if you find any files that you don't recognize you can grep for
> their time stamp

File integrity checkers, the best know of which is Tripwire, are handy 
here, but only if you've installed one originally on a known good system 
and kept it up-to-date.  That's perpetually one of those "I'll get to it 
later" things, since it can be a pain to configure and maintain them.

That's why I like 'fcheck,' which is a Perl script in the Debian/Ubuntu 
repos.  It more-or-less Just Works out of the box, and it's easy to 
tweak it a bit.  It is *less* secure than aide, osiris , or samhain 
because it only sends a single email when something changes, then 
assumes the change was legit.  On the other hand, it's a LOT more secure 
than the nothing most systems have.  And it's not hard to make an 
off-line DB backup for comparison if needed.  Syntax is simple and it's 
Perl so it's easily hackable.  (And yes, it runs on Windows. :)

I highly recommend everyone look into it.

Failing that, there's a database of known file hashes at  Unfortunately, at a quick glance it's not 
clear that it contains hashes for recent Linux systems (it's mostly 
Windows).  There's some Red Hat in there, but it's old (e.g. 7.x).  It 
would be a lot of work, but it would be possible to build a similar 
system, rev it up to the right level, and hash it, then compare.  That's 
probably vast overkill in this case, but it's interesting to think about.

Good luck,
Related tools in Hardy:
* aide - Advanced Intrusion Detection Environment - static binary
* debsums - Verify installed package files against MD5 checksums.
* fcheck - IDS filesystem baseline integrity checker
* integrit - A file integrity verification program
* osiris - network-wide system integrity monitor control interface
* samhain - Data integrity and host intrusion alert system
* stealth - A stealthy File Integrity Checker
* tripwire - file and directory integrity checker
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --