Detecting when you need to system rescue

Non-File Data

Another problem I see more and more often is that less and less data is actually stored on traditional filesystems. Databases and NoSQL systems, such as MongoDB and Hadoop, are increasingly used to store data objects, and there's no easy way to apply tools like Open Source Tripwire or AIDE to them. Monitoring such systems for changes and integrity will require software that is not available yet. (Weirdly, I can't find anyone working on this, so let me know if you are!)


Even having a noisy system that you mostly ignore is better than having no detection at all. If a break-in or accident occurs, at least you'll be able to get some idea of the scope of it, and, if you're lucky, you'll be able to determine the actual damage and see how the breach occurred. Of course, these monitoring tools also need to be paired with a good data backup strategy so that you have something with which to restore your system.

Another benefit of tools like Open Source Tripwire and AIDE is that they can pinpoint exactly which files need to be restored (e.g., if files have the same hash value that they had last week, you don't need to worry) and thereby significantly reduce restore times.


  1. Open Source Tripwire:
  2. AIDE:
  3. "Secure storage with GlusterFS" by Kurt Seifried, Linux Magazine, issue 153, August 2013:
  4. "Kernel rootkits and countermeasures" by Jürgen Quade, Linux Magazine, issue 147, February 2013:
  5. "Monitor file and directory activity with incron" by Paul Brown, Linux Magazine, issue 158, January 2014:

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tripwire

    The simple but effective Tripwire HIDS provides its service quietly and discreetly, preventing attackers from infecting computers with trojans, backdoors, or modified files by identifying anomalies unnoticed by the user.

  • Tripwire IDS

    Tripwire is a powerful tool that protects your systems against unwanted changes.

  • Security Lessons: Rescue Tools

    When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.

  • Security Lessons

    Learn how to monitor and block attacks without lifting a finger.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More