Title: File system integrity software for Linux

KBTAG: kben10000026
URL: http://www.securityportal.com/lskb/10000000/kben10000026.html
Date created: 14/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Tools for ensuring file integrity in Linux
Keywords: Filesystem, IntrusionDetection

Summary:

One of the first thing most attackers will do once in your system is replace various binaries and programs with versions that allow for remote access and other features to retain control of the machine. There are a variety of software packages available that create secure checksums of files, store them and can later compare them to see if the file has changed. Checking size and time are not secure since an attacker can easily modify file details.

More information:

A truly savvy attacker will replace the program that generates the file checksums/etc, or create a new database of checksums, so you need to store the checksums on read only media, preferably removable. The program, if possible should also be stored on removable media, ideally this is bootable media, so that you are working from a trusted computing base, SuSE's auditdisk does exactly this. Unfortunately it is not really practical to reboot servers off of a floppy and check the file system, and in the event of a complete compromise it is advisable to reload the OS fresh from trusted media (such as a manufacturer's CDROM).

Downloads:

Tripwire

Tripwire was OpenSource, then commercially licensed and closed source for a few years and now they have started a new OpenSource Tripwire project. Commercial Tripwire is available at: http://www.tripwiresecurity.com/ and the OpenSource version will be available at: http://www.tripwiresecurity.org/

AIDE

AIDE is a tripwire replacement that attempts to be better then tripwire. It is GPL licensed which makes it somewhat more desirable then tripwire from a trust point of view. It supports several hashing algorithms, and you can download it from: http://www.cs.tut.fi/~rammer/aide.html.

L5

There is an alternative to tripwire however, L5, available at: ftp://avian.org/src/hacks/, it is completely free and very effective. I would definitely recommend this tool.

Gog&Magog

Gog&Magog creates a list of system file properties, owner, permissions, an MD5 signature of the file and so (similar to tripwire). You can then have it automatically compare this and ensure any changed files/etc come to your attention quickly. As well it makes recovering from a break in simpler as you’ll know which files were compromised. You can download Gog&Magog from: http://www.multimania.com/cparisel/gog/.

Sentinel

Sentinel is a program that scans your harddrive and creates checksums of files you request it to. It uses a non patented algorithm (RIPEMD-160bit MAC ), and has an optional graphical front end (nice). You can get it at: http://zurk.netpedia.net/zfile.html.

SuSEauditdisk

SuSEauditdisk is a bootable disk with integrity checking tools and the checksums providing a very secure method to check for damage. It ships standard with SuSE and can easily be ported to other Linux distributions, and is GPL licensed. You can get SuSEauditdisk from: http://www.suse.de/~marc/.

Sxid

Sxid checks setuid and setgid for changes, generates MD5 signatures of the files and generally allows you to track any changes made. You can get it at: ftp://marcus.seva.net/pub/sxid/.

Claymore

http://linux.rice.edu/magic/claymore/