Check data pools for changes or manipulation
|
Similar Tools
Filesystems like ZFS [8] and Btrfs [9] contain automatic integrity checks. If the system reads content from a storage medium, it automatically calculates a checksum for the content of the data block.
ZFS compares these with the checksum of the identical data block on a (mirrored) clone. If the two checksum are not equal, ZFS assumes the original data block's content to be damaged and throws a read error. If the system doesn't repair the problem automatically , you can decide to do so manually and have it replace the damaged data block with the content of the cloned filesystem [10].
Btrfs calculates a checksum (CRC32) for each block for a periodic redundancy check. Thus, the system detects bit errors and fixes them automatically in combination with a RAID in case the mirror is intact. If you use ext3 or ext4 as filesystems, the Smartmontools [11] and the application badblocks (from the e2fsprogs package) can help.
Dangers exist not only on filesystems, but also in processes and data streams. For the latter, you can use unhide [12] and suricata [13]. You can use either to monitor processes and network packages in search of malicious behavior. Unhide monitors the running processes and tries to find those wanting to hide from the ps command's output. In order to do so, it – among other things – compares entries in the /proc filesystem with running processes.
Outlook
No one of the tools presented here is able to prevent modifications in the filesystem, but they do help you to detect such changes when they happen. With this information, you have the opportunity to take steps against suspicious modifications and set your system back to the correct state again. If you include the programs as daemons in the background or as cron jobs, you may be able to save a lot of troublesome manual work.
However, learning how to interpret all the warnings may require a bit of skill. It is also common that some systems report "false positives." A typical case is the surveillance of the directories /bin/ and /usr/bin/ . If you install new or update already existing software, it will alter its contents – that's what HIDS will notice and warn you about. So you will still have to take a careful look at the reports. l
Tip
In the BSD variants and Mac, the counterpart of chattr is called chflags . In Solaris, chmod covers this function; the same goes for lsattr , which is covered by an extension of the ls command.
Infos
- "Linux Password Trick with Immutable Bit Using chattr Command": http://www.cyberciti.biz/tips/linux-password-trick.html
- SELinux: https://selinuxproject.org
- Rsync: https://rsync.samba.org
- How to for rsync: https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories-on-a-vps
- "Staying in Sync" by Heike Jurzik, Linux Magazine , issue 67, June 2006, http://www.linux-magazine.com/Issues/2006/67/Shredder_9_Chess_Too
- HIDS: https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
- Integrit: https://github.com/integrit/integrit
- ZFS on Linux: http://zfsonlinux.org
- Btrfs: https://btrfs.wiki.kernel.org
- "Using the ZFS scrub feature to verify the integrity of your storage": http://prefetch.net/blog/index.php/2011/10/15/using-the-zfs-scrub-feature-to-verify-the-integrity-of-your-storage
- Smartmontools: http://smartmontools.sourceforge.net
- Unhide: http://www.unhide-forensics.info
- Suricata: https://oisf.net/suricata
« Previous 1 2 3 4 Next »
Buy this article as PDF
Pages: 6
(incl. VAT)