Check data pools for changes or manipulation

Slashdot it! Delicious Share on Facebook Tweet! Digg!

From Rsync to HIDS

To audit modifications between directories with large amounts of data, rsync is not advisable. On the one hand, it is too computationally intensive, on the other hand it involves the danger of incompleteness. That is why clever developers created a combination of tools to further automate this step. Such tools basically exist for local break-in detection on a system and are called host-based intrusion detection systems (HIDS) [6].

An HIDS toolset offers a wide range of functionalities. It is equipped with routines to detect file modifications, find rootkits, detect suspicious network packages and interfaces, as well as "mysterious" processes. Some of the tools can only be used on local systems, others on both local and remote systems. Table 2 gives a rough overview of the tools and their features.

Table 2

HIDS

Tool File Modifications Rootkits Network Processes Remote
dpkg 4 6 6 6 6
rpm 4 6 6 6 6
integrit 4 6 6 6 6
tripwire 4 6 6 6 6
tiger 4 4 4 4 6
rkhunter 4 4 6 6 6
samhain 4 6 6 6 4
debsums 4 6 6 6 6
chkrootkit 6 4 6 4 6
aide 4 4 6 6 6
fcheck 4 6 6 6 6
stealth (1) 4 4 6 6 6
ossec 4 4 4 6 4
unhide 6 6 6 4 6
suricata 6 6 4 6 6
inotify 4 6 6 6 6
(1) SSH-Based Trust Enforcement Acquired Through a Locally Trusted Host

Note that only inotify issues output in the very same moment it detects a modification. All the other applications do that later. dpkg , dlocate , and debsums are package management tools that only exist on Debian and its derivatives. In the narrower sense, they do not match the definition of HIDS and only check whether the installed files from a package are still unmodified (Listing 7). The same goes for rpm from Fedora and OpenSuse.

Listing 7

Using Dpkg

$ dpkg -V openssh-server
??5??????      /usr/lib/tmpfiles.d/sshd.conf

Modifications

For a directory-based analysis of modification in a filesystem, I have integrit , tripwire , samhain , and aide .

An initial inventory serves as a digital tell-tale for differences that are observed afterwards. In the first step, the program analyzes the directory you specified beforehand and generates a kind of snapshot of the current status. For every entry in the directory, it creates an entry in its internal database and remembers, for example, the file name, the date of creation and last modification, the access and user permissions, and the content.

However, the latter isn't being saved as a complete copy but only with a calculated hash value of the content. It is highly unlikely that this value is not unique, and it is generated reasonably fast and without too much computational effort. For the hash calculation, MD5 or a variant of the Secure Hash Algorhythm (SHA) is used in many cases.

The second step is the comparison of the current directory state with the one of the snapshot from the first step. The system registers all modifications between the two states and communicates them to you. This can happen via the standard output but also via email, Jabber (XMPP), or as an entry in a logfile.

If you receive such a warning, you should react adequately immediately, for example, by recovering to an earlier backup. Both steps create considerable I/O load on the storage medium – so you better not do this during high-load phases.

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $0.99
(incl. VAT)

Buy Ubuntu User

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content