Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The idea, independent of any intrusion detection system, meaning, it is not added to your policy file, is to create a file in your home folder eg Mybank.txt and file contains false details.
2) depending on your /etc/fstab, the idea would be that you look to see if it had been read - atime changed.
Or you run tw against that file which only takes a second. And cull your root bash history manually or with a script.
Hopefully the intruder will spot the file and read it. Thus alerting you to atime change.
Any feedback or better ideas will be greatly appreciated.I am reasonably thick skinned so be as free with your ideas as you like.
The entrapment acts like a honeypot idea, sucking the intruder into thinking they are getting free confidential information. It does not involve any key loggers so can be used by ordinary home users.
Sounds pretty cool to me. I mean, if the attacker takes the bait, you'll know you've got at least a user-level breach. So you might get a heads-up before the box is rooted, which is a good thing. Of course, the more public discussion there is about this tactic, the less likely it is to work - specially if the attacker is after your CPU/bandwidth and not your information. It's a nifty idea IMHO - you lose nothing you wouldn't have lost without it if it doesn't work. Just my
You wouldn't want to call it an entrapment file since entrapment is illegal (atleast in the US). Enticement file would be better. However, someone already thought of doing this and it's commonly called a "honeytoken". But yeah it's a good idea.
AFAIK for it to be entrapment aus9 would have to be an officer of the law, and the attacker would need to show that the objective of aus9's tactic was to have the attacker do something which he normally would have never done. It would be pretty hard IMHO for the attacker to use an "I would have never looked at the file if he hadn't..." defense when we already know he is poking around the victim's home folder. So yeah, I agree with you that the name entrapment is a bad idea for this. I googled honeytoken and here is the Wikipedia page for it (just trying to save anyone a few keystrokes and a mouse click or two).
And when the hacker simply touches the file to set the access time back? Although some hackers aren't clever but the name of the file seems a bit obvious, althought I realize that was just an example.
If background service checks or resets the permissions of the file, that may change the access time, or if updatedb or kerry beagle indexes it you may erroneously think you have been hacked.
How about a file called addresses that looks like it may be a short little black book with your girlfriends address in them. But when the hacker calls the number expectiong your girlfriend they get the CIA or FBI. Or maybe to the Iranian embassy. Then the FBI & CIA will have their number, and watch them try to get off the
So what could we set Tripwire to check the file for in a case like this?
EDIT: Well, I went ahead and created a "top-secret.txt" file in my home directory and ran it through Tripwire (set to check all attributes) both before and after having dumped its contents with cat. The only attribute which Tripwire reports as having changed is access time. So I guess there really isn't any other attribute which would be useful in cases like this. Oh, and in case anyone is wondering, as mentioned by jschiwal, it was easy to fool Tripwire by changing the access time after having accessed the file. That said, you still don't lose anything by leaving this bait out there, as it's quite possible the attacker won't set the access time back (or back in time before the next Tripwire run).
Code:
win32sux@candystore:~$ ls -lu --time-style=full-iso top-secret.txt
-rw-r--r-- 1 win32sux win32sux 4 2007-11-22 8:47:27.000000000 -0700 top-secret.txt
win32sux@candystore:~$ cat top-secret.txt
This is the super-secret content of the file!
win32sux@candystore:~$ ls -lu --time-style=full-iso top-secret.txt
-rw-r--r-- 1 win32sux win32sux 4 2007-11-22 8:50:52.000000000 -0700 top-secret.txt
win32sux@candystore:~$ touch -a --date="2007-11-22 8:47:27.000000000 -0700" top-secret.txt
win32sux@candystore:~$ ls -lu --time-style=full-iso top-secret.txt
-rw-r--r-- 1 win32sux win32sux 4 2007-11-22 8:47:27.000000000 -0700 top-secret.txt
win32sux@candystore:~$
yes entrapment is a bad word, but it does catch more experts replying heh?
thanks OlRoy for the correct term honeytoken and thanks jschiwal for the heads up on atime cheating and win32sux for all his work.
2) but I do want to come back to the choice of filename as IMHO this is the key. You need to entice, honeytoke the intruder into viewing your file. So calling it something about money, sex, crime, security is what I am thinking you would choose.
to be crude ....mypornsites.txt....twpol.txt (in your home folder)
3) I realise with experts already thinking of what intruders may be thinking, that it would be obvious to the intruder, but it is meant to be bait to be taken. It has to be something that forces the intruder to say, yippee I will have a gander at this.
I would name it something to do with passwords. People have to remember a lot of passwords and it's not uncommon for them to write them down, and attackers would always be interested in furthering their compromise. Before this thread, when I thought of honeytokens, my first thought would to be have something like Snort monitoring traffic looking for a certain string of chracters. However, of course having both types of IDSs (NIDS and HIDS) looking for a honeytoken as well as using multiple honeytokens on your system is as you probably know, the best option.
I have another idea, after generating a passphrase protected tw.pol file, modify your twpol.txt file and leave it on the hard drive to act as a honeytoken. You will of course have to update your database so no reports are future reported of the changed file.
I have another idea, after generating a passphrase protected tw.pol file, modify your twpol.txt file and leave it on the hard drive to act as a honeytoken.
That would eliminate the attacker's ability to reset the access time on the file (unless he's got root powers). Nice!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
