File Integrity Assessment via SSH
Hal Pomeranz
File integrity assessment (FIA) tools like Tripwire [1], Samhain [2], AIDE
[3], et al. are commonly deployed in organizations to help assist forensic investigation
after a security incident and as a host-based intrusion detection tool to help
detect unauthorized file system changes (this also makes them useful monitoring
tools for existing change control procedures, though that is not the focus of
this article). The concept is simple: the administrator creates a configuration
file that lists the critical system files and directories that the FIA tool
should monitor, then uses the FIA tool to create a database that tracks common
parameters about those files, such as permissions and ownerships, file size,
and MAC times, along with one or more cryptographic checksums over the file
contents (typically via common hashing algorithms like MD5, SHA-1, etc.). The
FIA tool is then re-run periodically, and the current state of the file system
is compared to the values stored for the various files in the database -- if
there are any discrepancies, the files are flagged as having been modified and
a report is generated.
The canonical problem with FIA tools, however, is protecting the database
generated by the FIA tool, as well as the binary for the FIA tool itself, from
unauthorized tampering by attackers who gain root access to the system. After
all, if the attacker installs a rootkit and then updates the FIA database for
the system to reflect the new state of the file system, then the administrator
may be unaware of the attacker's changes. Similarly, the attacker could modify
the FIA tool binary to either ignore or lie about the state of files installed
by the attacker.
|
