Detecting when you need to system rescue

False Positives

One of the worst problems with file monitoring tools is the occurrence of false positives. If you monitor the /etc/shadow file, for example, any time a user changes her password, you will get a file modification warning. If you update the system, you may get a flurry of warnings.

These tools cannot process an RPM or dpkg file, for example, before installation to reduce false positives. So, unless you build some additional tooling, you'll probably either turn off monitoring or start ignoring it. Additionally, if a file is modified, you can't easily compare it to the previous version unless you manually diff it against a backup copy. Thus, I strongly recommend only monitoring the critical files; if you want to monitor more, you can set that up as a different report to refer to as needed.

Modern Attacks

Modern attacks often are about getting root access, and, sadly, Linux has its share of locally exploitable vulnerabilities that can be leveraged to get root access. Once this is accomplished, an attacker can insert a rootkit to evade detection. Attackers have no real need to modify the files on the system but, if they do, they can use the rootkit to present "good" copies of the file to tools like Open Source Tripwire and AIDE.

Virtualization and cloud computing can help here. In these kinds of virtualized environments, you can easily snapshot or examine the filesystem of a running system, from outside of the running system. Thus, things like rootkits will have a much more difficult time hiding modified files from detection. You can also use network filesystems such as GlusterFS [3] – not only to store data but also to boot from. Because GlusterFS is based on regular filesystems, you can easily examine files from a secured system that has read-only access. Additionally, you can and should use tools like RKHunter to find various rootkits  [4].

Real-Time Attacks

Because these tools must be run on a schedule, a window of time exists between scans, during which attackers can break in and not be detected even if they do modify the files being monitored. Several people have proposed using inotify to trigger scans of files as they change, but, as far as I can tell, neither Open Source Tripwire nor AIDE support this or ever will. The incron [5] program, however, can be used to trigger applications when a file is changed, so you could use incron to trigger a scan when a file is modified.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tripwire

    The simple but effective Tripwire HIDS provides its service quietly and discreetly, preventing attackers from infecting computers with trojans, backdoors, or modified files by identifying anomalies unnoticed by the user.

  • Tripwire IDS

    Tripwire is a powerful tool that protects your systems against unwanted changes.

  • Security Lessons: Rescue Tools

    When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.

  • Security Lessons

    Learn how to monitor and block attacks without lifting a finger.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More