LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-02-2008, 08:52 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Rep: Reputation: 53
Which are some really good file integrity checking programs?


What is the best software for File Integrity Monitoring?

Both for log files and scripts I have that have access to a secure database.

(This is for 10.5.5 and 11.5 of the PCI DSS)
 
Old 04-03-2008, 01:09 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
There's no way to provide a factual answer to that, as "best" is a matter of opinion.

My favorite is Tripwire 2.3.1.2, but AIDE seems to be loved by many people.
 
Old 04-03-2008, 02:21 AM   #3
proc
Member
 
Registered: Jul 2007
Location: /dev/urandom
Posts: 70

Rep: Reputation: 15
That is an outdated version of tripwire, any reason for that?

Current version is Tripwire 2.4.1.2

it can be obtained Here
 
Old 04-03-2008, 06:29 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by proc View Post
That is an outdated version of tripwire, any reason for that?
No, it's not "outdated". It's a rock-solid performer with an excellent security reputation and years and years worth of source code maintenance and bug fixes. I'm not sure if those are the reasons why the Debian people have decided to stick with the 2.3 branch, but FWIW they are the reasons why I have. I might take a look at 2.4 if it ever makes it into Debian, though. That said, I will be taking AIDE out for a spin soon, as I keep hearing such great things about it - plus it's a part of the official Ubuntu repositories (whereas Tripwire isn't).

Last edited by win32sux; 04-03-2008 at 06:31 AM.
 
Old 04-03-2008, 07:45 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Actually there is a difference. Aide (and IIRC tripwire) are userland-only, passive, post-incident checkers, meaning you'll have to run them manually or from a scheduler and they can only see changes after the incident happens. Samhain has a kernel module (so it can check part of the kernel structure), runs daemonised and schedules it's own runs, which makes it an active checker. As a result it's more demanding (load). With for instance Aide you could split configs and check say crucial system binaries with one config on a one hour schedule and check say /boot and /usr with another config on a eight hour schedule.

* Since you relate this to the PCI DSS maybe it's also good to know that next to logging provided by SELinux, you can also expand your audit trail using 0) the 'auditd' daemon. Say your machine is hardened properly, /tmp is cleared out often and only a few processes write to it. To keep tabs on whatever writes to and executes things in /tmp you could set a watch like: "-w /tmp -p wx -k watch-wx-tmp" in /etc/audit/audit.rules. 1) Keeping a tab on commands users execute can be done with Rootsh. This wraps around the users shell and logs to syslog or file. Just some examples wrt tracking and monitoring...

** I'm also interested to read what you've implemented to comply with PCI DSS. If you've got the time posting details would be appreciated.

Last edited by unSpawn; 04-03-2008 at 07:50 AM.
 
Old 04-03-2008, 07:52 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
About tripwire, didn't that have anything to do with the license troubles it went through?
 
Old 04-03-2008, 08:13 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Right, but I'm under the impression that to comply with 10.5.5 and 11.5 you wouldn't need active checking.

Please correct me if this isn't the case. I quote from the PDF:
Quote:
10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
Quote:
11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly.

Critical files are not necessarily only those containing cardholder data. For file integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Quote:
Originally Posted by unSpawn View Post
About tripwire, didn't that have anything to do with the license troubles it went through?
That very well could be. The SF.net project page for 2.4 does show it as being GPL, though.
 
Old 04-03-2008, 09:17 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by win32sux View Post
Right, but I'm under the impression that to comply with 10.5.5 and 11.5 you wouldn't need active checking.
Uh. No. The active/passive division doesn't address PCI DSS but your "provide a factual answer" part. It's because I found I often left finding the difference between checkers clear and the implications of the choice "as an exercise for the reader". And not to make this a discussion about the minimum reqs PCI DSS asks for, but if one could choose the time of report about an intrusion on a business crticial system, I wonder if that choice would be "after the hourly cronjob has run" rather than "right now".


Looking back at the OP I see I didn't address the "Both for log files" part. Logfiles get written to through syslog or through the application. Some applications can be forced to log through syslog making consolidating logs easier. IIRC there are (must have read somewhere) syslog implementations that can sign or encrypt received messages which should help integrity checking of logs easier (dunno about overhead though). OTOH you could use a remote syslog host to log everything to. The idea is this host only accepts inbound syslog messages, so logs can't be tampered with. Access to the syslog host could be through another interface and 'net or out of band comms.
 
Old 04-03-2008, 10:31 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by unSpawn View Post
Uh. No. The active/passive division doesn't address PCI DSS but your "provide a factual answer" part.
Oh, okay. Well, I just meant that saying some particular program is "the best" wouldn't be a factual answer, just someone's point of view. Kinda like saying some distro is the best. Not sure why it came through differently.

Quote:
It's because I found I often left finding the difference between checkers clear and the implications of the choice "as an exercise for the reader". And not to make this a discussion about the minimum reqs PCI DSS asks for, but if one could choose the time of report about an intrusion on a business crticial system, I wonder if that choice would be "after the hourly cronjob has run" rather than "right now".
Yeah, I definitely think "right now" would be the optimal in most business critical systems. One would just have to weigh the pros an cons (such as the increased load which you mentioned). I myself have only used Tripwire so I'm not familiar with the real-time checkers. I'm reading the Samhain user manual right now - it's huge.
 
Old 04-03-2008, 10:42 AM   #10
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by unSpawn View Post
** I'm also interested to read what you've implemented to comply with PCI DSS. If you've got the time posting details would be appreciated.
I'm still working on a lot of this, but for right now a lot of little things, but one big thing I am making a central log server. I am looking into possible making that the remote syslogd server.

In reading the documentation for the PCI DSS and Visa, what to do if you were comprimised, they are saying they want you to unplug the network cable from the comprimised server and don't even log into to it or power it down. The logs should be on a seperate server, and if you need to investigate the breach you do so on your seperate server with the logs. Visa then sends their Incident Response Team out, and it looks like they are the ones that log into the comprimised server.

I'll keep you posted as I add anything else major.
 
Old 04-03-2008, 10:52 AM   #11
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
AIDE looks good for checking static files if they were changed, what is a good way of checking logs to see if they were tampered with (since they are always being added to, and are set back to 0 when they are rotated)?

And what does a hacker usually do to the log to cover up his tracks? Do they just open the log with a text editor and delete only the entries with their ip? Or clear it our completely? On only truncate like the last 50 lines of it?
 
Old 04-03-2008, 11:01 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by win32sux View Post
Oh, okay. Well, I just meant that saying some particular program is "the best" wouldn't be a factual answer
I think you've gotten me wrong there too, I'm not attacking you for it. Heh, you know how I react to people asking for "the best" w/o them specifying what they *really* need... All I've done is support the "factual answer" part with eh, facts.


Quote:
Originally Posted by win32sux View Post
I'm reading the Samhain user manual right now - it's huge.
Ain't that hard to use. Just be careful with the LKM configure options. With some it doesn't play nice.


Quote:
Originally Posted by abefroman View Post
In reading the documentation for the PCI DSS and Visa, what to do if you were comprimised, they are saying they want you to unplug the network cable from the comprimised server and don't even log into to it or power it down. The logs should be on a separate server, and if you need to investigate the breach you do so on your separate server with the logs. Visa then sends their Incident Response Team out, and it looks like they are the ones that log into the comprimised server.
Nice going for VISA. Must cost users an arm and a leg to support that kind of IRT. I wonder what they think of failovers. Say you have a spare server which isn't synced in real time (so you kinda know and can verify it's not compromised), does it say anything about allowing you to bring that one online to replace the other? If not then that essentially means you're at the IRT's mercy and out of business until they have conducted their post-mortem...


Quote:
Originally Posted by abefroman View Post
I'll keep you posted as I add anything else major.
Thanks! I do appreciate that.
 
Old 04-03-2008, 11:10 AM   #13
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by unSpawn View Post
Nice going for VISA. Must cost users an arm and a leg to support that kind of IRT. I wonder what they think of failovers. Say you have a spare server which isn't synced in real time (so you kinda know and can verify it's not compromised), does it say anything about allowing you to bring that one online to replace the other? If not then that essentially means you're at the IRT's mercy and out of business until they have conducted their post-mortem...
What I was going to do is setup a failover server that I can switch to in the event of an incident, not that I ever expect to have one, this failover server will have my site but not connect to the customer database, I think I will have it set to take orders but not the credit card details and have a message saying a representative will call them for their billing info and to see if they have any questions.

I read through the Visa stuff fast but from what I gathered, there is a up to $100k fine if there is an incident, and an additioanl fine, up to $500k if you are in violation of the PCI DSS at the time of the incident. I'm not sure if that includes their IRT coming out of if there is a charge for that in addition to the fine.

Last edited by abefroman; 04-03-2008 at 11:14 AM.
 
Old 04-03-2008, 12:41 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
I think the only reaction to that kind of chokehold could be "auch"...
 
  


Reply

Tags
aide, ids, samhain, tripwire


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
file integrity checking software??? dsids Linux - Newbie 2 08-21-2006 07:49 AM
LXer: AIDE Integrity Checking LXer Syndicated Linux News 0 07-23-2006 01:21 PM
Software for Automatic Integrity Checking MoveZig Linux - Software 0 09-23-2005 09:14 AM
Checking integrity of a system gamehack Linux - Security 1 05-27-2004 03:26 PM
Checking cable integrity Worstje Linux - Networking 1 05-22-2004 05:47 PM


All times are GMT -5. The time now is 05:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration