JP Vossen on 4 Nov 2008 21:54:39 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] weird process? (file integrity monitoring)


> Date: Tue, 4 Nov 2008 20:44:24 -0500
> From: "Michael Lazin" <microlaser@gmail.com>
> Subject: Re: [PLUG] weird process?
> 
> by the way, if you find any files that you don't recognize you can grep for
> their time stamp

File integrity checkers, the best know of which is Tripwire, are handy 
here, but only if you've installed one originally on a known good system 
and kept it up-to-date.  That's perpetually one of those "I'll get to it 
later" things, since it can be a pain to configure and maintain them.

That's why I like 'fcheck,' which is a Perl script in the Debian/Ubuntu 
repos.  It more-or-less Just Works out of the box, and it's easy to 
tweak it a bit.  It is *less* secure than aide, osiris , or samhain 
because it only sends a single email when something changes, then 
assumes the change was legit.  On the other hand, it's a LOT more secure 
than the nothing most systems have.  And it's not hard to make an 
off-line DB backup for comparison if needed.  Syntax is simple and it's 
Perl so it's easily hackable.  (And yes, it runs on Windows. :)

I highly recommend everyone look into it.


Failing that, there's a database of known file hashes at 
http://www.nsrl.nist.gov/.  Unfortunately, at a quick glance it's not 
clear that it contains hashes for recent Linux systems (it's mostly 
Windows).  There's some Red Hat in there, but it's old (e.g. 7.x).  It 
would be a lot of work, but it would be possible to build a similar 
system, rev it up to the right level, and hash it, then compare.  That's 
probably vast overkill in this case, but it's interesting to think about.

Good luck,
JP
___________________________
Related tools in Hardy:
* aide - Advanced Intrusion Detection Environment - static binary
* debsums - Verify installed package files against MD5 checksums.
* fcheck - IDS filesystem baseline integrity checker
* integrit - A file integrity verification program
* osiris - network-wide system integrity monitor control interface
* samhain - Data integrity and host intrusion alert system
* stealth - A stealthy File Integrity Checker
* tripwire - file and directory integrity checker
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug