Check data pools for changes or manipulation
|
From Rsync to HIDS
To audit modifications between directories with large amounts of data, rsync is not advisable. On the one hand, it is too computationally intensive, on the other hand it involves the danger of incompleteness. That is why clever developers created a combination of tools to further automate this step. Such tools basically exist for local break-in detection on a system and are called host-based intrusion detection systems (HIDS) [6].
An HIDS toolset offers a wide range of functionalities. It is equipped with routines to detect file modifications, find rootkits, detect suspicious network packages and interfaces, as well as "mysterious" processes. Some of the tools can only be used on local systems, others on both local and remote systems. Table 2 gives a rough overview of the tools and their features.
Table 2
HIDS
| Tool | File Modifications | Rootkits | Network | Processes | Remote |
|---|---|---|---|---|---|
| dpkg | 4 | 6 | 6 | 6 | 6 |
| rpm | 4 | 6 | 6 | 6 | 6 |
| integrit | 4 | 6 | 6 | 6 | 6 |
| tripwire | 4 | 6 | 6 | 6 | 6 |
| tiger | 4 | 4 | 4 | 4 | 6 |
| rkhunter | 4 | 4 | 6 | 6 | 6 |
| samhain | 4 | 6 | 6 | 6 | 4 |
| debsums | 4 | 6 | 6 | 6 | 6 |
| chkrootkit | 6 | 4 | 6 | 4 | 6 |
| aide | 4 | 4 | 6 | 6 | 6 |
| fcheck | 4 | 6 | 6 | 6 | 6 |
| stealth (1) | 4 | 4 | 6 | 6 | 6 |
| ossec | 4 | 4 | 4 | 6 | 4 |
| unhide | 6 | 6 | 6 | 4 | 6 |
| suricata | 6 | 6 | 4 | 6 | 6 |
| inotify | 4 | 6 | 6 | 6 | 6 |
| (1) SSH-Based Trust Enforcement Acquired Through a Locally Trusted Host | |||||
Note that only inotify issues output in the very same moment it detects a modification. All the other applications do that later. dpkg , dlocate , and debsums are package management tools that only exist on Debian and its derivatives. In the narrower sense, they do not match the definition of HIDS and only check whether the installed files from a package are still unmodified (Listing 7). The same goes for rpm from Fedora and OpenSuse.
Listing 7
Using Dpkg
$ dpkg -V openssh-server ??5?????? /usr/lib/tmpfiles.d/sshd.conf
Modifications
For a directory-based analysis of modification in a filesystem, I have integrit , tripwire , samhain , and aide .
An initial inventory serves as a digital tell-tale for differences that are observed afterwards. In the first step, the program analyzes the directory you specified beforehand and generates a kind of snapshot of the current status. For every entry in the directory, it creates an entry in its internal database and remembers, for example, the file name, the date of creation and last modification, the access and user permissions, and the content.
However, the latter isn't being saved as a complete copy but only with a calculated hash value of the content. It is highly unlikely that this value is not unique, and it is generated reasonably fast and without too much computational effort. For the hash calculation, MD5 or a variant of the Secure Hash Algorhythm (SHA) is used in many cases.
The second step is the comparison of the current directory state with the one of the snapshot from the first step. The system registers all modifications between the two states and communicates them to you. This can happen via the standard output but also via email, Jabber (XMPP), or as an entry in a logfile.
If you receive such a warning, you should react adequately immediately, for example, by recovering to an earlier backup. Both steps create considerable I/O load on the storage medium – so you better not do this during high-load phases.
« Previous 1 2 3 4 Next »
Buy this article as PDF
Pages: 6
(incl. VAT)
Buy Ubuntu User
US / Canada
UK / Australia
Related content
-
Finding differences in PDF documents
If you don't have the right tools, comparing PDF documents for differences can be very cumbersome. We discuss five nifty tools that can help with this task.
- Ubuntu, Google, and the Future of Linux. And rsync too.
-
Visualizing complex structures using Graphviz
Network plans, nested dependencies, or binary trees – with Graphviz, you can visualize complex relationships in a simple way.
-
Backing up data with mintBackup
The clever mintBackup not only backs up your files, it also lists your currently installed programs.
-
Easy backups with Obnam
The Obnam command-line tool allows backups and restores, even when the X server is on strike. Its many options will easily meet the needs of a SOHO environment.