What is the best software for File Integrity Monitoring?

Both for log files and scripts I have that have access to a secure database.

(This is for 10.5.5 and 11.5 of the PCI DSS)

There's no way to provide a factual answer to that, as "best" is a matter of opinion.

My favorite is Tripwire 2.3.1.2, but AIDE seems to be loved by many people.

That is an outdated version of tripwire, any reason for that?

Current version is Tripwire 2.4.1.2

it can be obtained Here

No, it's not "outdated". It's a rock-solid performer with an excellent security reputation and years and years worth of source code maintenance and bug fixes. I'm not sure if those are the reasons why the Debian people have decided to stick with the 2.3 branch, but FWIW they are the reasons why I have. I might take a look at 2.4 if it ever makes it into Debian, though. That said, I will be taking AIDE out for a spin soon, as I keep hearing such great things about it - plus it's a part of the official Ubuntu repositories (whereas Tripwire isn't).

Actually there is a difference. Aide (and IIRC tripwire) are userland-only, passive, post-incident checkers, meaning you'll have to run them manually or from a scheduler and they can only see changes after the incident happens. Samhain has a kernel module (so it can check part of the kernel structure), runs daemonised and schedules it's own runs, which makes it an active checker. As a result it's more demanding (load). With for instance Aide you could split configs and check say crucial system binaries with one config on a one hour schedule and check say /boot and /usr with another config on a eight hour schedule.

* Since you relate this to the PCI DSS maybe it's also good to know that next to logging provided by SELinux, you can also expand your audit trail using 0) the 'auditd' daemon. Say your machine is hardened properly, /tmp is cleared out often and only a few processes write to it. To keep tabs on whatever writes to and executes things in /tmp you could set a watch like: "-w /tmp -p wx -k watch-wx-tmp" in /etc/audit/audit.rules. 1) Keeping a tab on commands users execute can be done with Rootsh. This wraps around the users shell and logs to syslog or file. Just some examples wrt tracking and monitoring...

** I'm also interested to read what you've implemented to comply with PCI DSS. If you've got the time posting details would be appreciated.

About tripwire, didn't that have anything to do with the license troubles it went through?

Right, but I'm under the impression that to comply with 10.5.5 and 11.5 you wouldn't need active checking.

Please correct me if this isn't the case. I quote from the PDF:That very well could be. The SF.net project page for 2.4 does show it as being GPL, though.

Uh. No. The active/passive division doesn't address PCI DSS but your "provide a factual answer" part. It's because I found I often left finding the difference between checkers clear and the implications of the choice "as an exercise for the reader". And not to make this a discussion about the minimum reqs PCI DSS asks for, but if one could choose the time of report about an intrusion on a business crticial system, I wonder if that choice would be "after the hourly cronjob has run" rather than "right now".


Looking back at the OP I see I didn't address the "Both for log files" part. Logfiles get written to through syslog or through the application. Some applications can be forced to log through syslog making consolidating logs easier. IIRC there are (must have read somewhere) syslog implementations that can sign or encrypt received messages which should help integrity checking of logs easier (dunno about overhead though). OTOH you could use a remote syslog host to log everything to. The idea is this host only accepts inbound syslog messages, so logs can't be tampered with. Access to the syslog host could be through another interface and 'net or out of band comms.

Oh, okay. Well, I just meant that saying some particular program is "the best" wouldn't be a factual answer, just someone's point of view. Kinda like saying some distro is the best. Not sure why it came through differently.

Yeah, I definitely think "right now" would be the optimal in most business critical systems. One would just have to weigh the pros an cons (such as the increased load which you mentioned). I myself have only used Tripwire so I'm not familiar with the real-time checkers. I'm reading the Samhain user manual right now - it's huge.

I'm still working on a lot of this, but for right now a lot of little things, but one big thing I am making a central log server. I am looking into possible making that the remote syslogd server.

In reading the documentation for the PCI DSS and Visa, what to do if you were comprimised, they are saying they want you to unplug the network cable from the comprimised server and don't even log into to it or power it down. The logs should be on a seperate server, and if you need to investigate the breach you do so on your seperate server with the logs. Visa then sends their Incident Response Team out, and it looks like they are the ones that log into the comprimised server.

I'll keep you posted as I add anything else major.

AIDE looks good for checking static files if they were changed, what is a good way of checking logs to see if they were tampered with (since they are always being added to, and are set back to 0 when they are rotated)?

And what does a hacker usually do to the log to cover up his tracks? Do they just open the log with a text editor and delete only the entries with their ip? Or clear it our completely? On only truncate like the last 50 lines of it?

I think you've gotten me wrong there too, I'm not attacking you for it. Heh, you know how I react to people asking for "the best" w/o them specifying what they *really* need... All I've done is support the "factual answer" part with eh, facts.


Ain't that hard to use. Just be careful with the LKM configure options. With some it doesn't play nice.


Nice going for VISA. Must cost users an arm and a leg to support that kind of IRT. I wonder what they think of failovers. Say you have a spare server which isn't synced in real time (so you kinda know and can verify it's not compromised), does it say anything about allowing you to bring that one online to replace the other? If not then that essentially means you're at the IRT's mercy and out of business until they have conducted their post-mortem...


Thanks! I do appreciate that.

What I was going to do is setup a failover server that I can switch to in the event of an incident, not that I ever expect to have one, this failover server will have my site but not connect to the customer database, I think I will have it set to take orders but not the credit card details and have a message saying a representative will call them for their billing info and to see if they have any questions.

I read through the Visa stuff fast but from what I gathered, there is a up to $100k fine if there is an incident, and an additioanl fine, up to $500k if you are in violation of the PCI DSS at the time of the incident. I'm not sure if that includes their IRT coming out of if there is a charge for that in addition to the fine.

I think the only reaction to that kind of chokehold could be "auch"...