Checksumming layer
tweeks
tweeks at rackspace.com
Fri Jan 11 22:52:36 UTC 2008
On Friday 11 January 2008 14:13, Forest Bond wrote:
> Hi,
>
> On Fri, Jan 11, 2008 at 01:55:46PM -0600, tweeks wrote:
> > On Friday 11 January 2008 06:44, Jeremy Sanders wrote:
> > > Jordi Prats wrote:
> > > > You could use tripwire to check periodically all files instead of
> > > > relay on the file system for that task. (I think no file system does
> > > > this checking by now)
> > >
> > > That's a possible idea.
> > >
> > > I would have thought it would be relatively simple to write a block
> > > device which acted a layer between the file system and real block
> > > device. I suppose the difficultly is getting all the corner cases
> > > correct. I've never written any kernel code, so maybe I should
> > > investigate doing that for fun...
> >
> > All files in the system are already hashed. You can see this by doing
> > an "rpm -Va". For example.. to create a baseline of a system to compare
> > against, just cron a script to:
> > rpm -Va > /root/RPMV/system-rpm-baseline.txt
> >
> > then once/day or whatever, do a diff... or just grep for any "bin"
> > directory changes and diff that. I like this better than messing with
> > tripwire. It's already there, native, and easy to use.
>
> This is specific to:
>
> * RPM-based systems
> * files provided by RPMs
> Consequently, it's only useful on certain systems,
Heh.. well.. last I checked, this is a redhat ext3 list. Red hat uses rpm..
and no one but Red hat still actually uses ext3 right? (hehe)...
> and, even then, only
> with certain files. That's not very good coverage, is it?
Uhh.. all SYSTEM files.. which is all I'm looking at when doing compromise
checks (except for root kits, etc.. for which I use separate tools).
> This is especially true when you consider that the files that came from the
> package manager are usually the ones that you don't care about as much when
> you've lost data.
You tripwire scan data files? Hmm..
I've seen hundred of compromised servers... 80-90% of them can be detected
with a simple RPM scan. The ones you can't are the ones where hacks have
deleted the RPM DBs. but in that case, your baseline diff sets off red flags
anyway. It's actually a pretty good scan to run nightly/weekly, etc (along
with root kit scans, etc). In fact.. I prefer using unorthodox detection
methods rather than well known forms of F.A.M. (file alteration monitoring)
like tripwire which if seen, are instantly attacked and disabled.
Tweeks
Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace
Managed Hosting. Any dissemination, distribution or copying of the enclosed
material is prohibited. If you receive this transmission in error, please
notify us immediately by e-mail at abuse at rackspace.com, and delete the
original message. Your cooperation is appreciated.
More information about the Ext3-users
mailing list