Many Linux distributions include stock operating system tools that make file alteration monitoring easy and reliable if properly configured. In this section, we introduce some security functionality built into Red Hat and Fedora Core Linux, as well as additional common file alteration monitoring tools that you can download and install. If you want to purchase a commercial alternative, you can certainly do so; however, equally effective tools are available at no charge and as part of your regular installation. There's no excuse. Additionally, home-brewed security tools are sometimes seen as more secure than commercial OTS (of the shelf) solutions, as there is no known program for the intruder or his tools to detect as being installed.
You probably think of RPM, or the Red Hat Package Manager, as an easy way to install and track software packages. Did you know that it also tracks individual file size, stock permission, user, group, and time settings, and even each file's MD5sum, or personal "fingerprint"? Using all this install-time information, you can check for all sorts of changes on your system. As you will see, all this information makes RPM an effective security tool in and of itself.
With RPM, you can are able to track every file on your system that was installed via RPM. With a bit of creative scripting and automation, you can even use RPM to watch all your files for changes over time. This is called file alteration or file integrity monitoring, and it is a critical aspect of host-based intrusion detection. Such monitoring shows you local intrusions in a way that network-based tools can't.
Tip |
Learn more about RPM's file attribute tracking capabilities by issuing the command man rpm. Search down to the QUERY OPTIONS section, as well as the mnemonic keyword for much more detail on RPM file alteration tracking. |
You can use other native Linux file system tools to detect cracker presence on your system. After a successful break-in, crackers like to use the command-line tool chattr (change attribute) to lock in their cracked changes at the ext2/3 file system level. However, you can use the counterpart of this tool, lsattr (list attribute), to sniff out the infiltrators and detect files that they have replaced and locked.
If you're using the Debian Linux distribution, consider using the debsums program. Just like RPM on Red Hat or SuSE Linux, debsums tracks MD5sums and other file attributes. Not all Debian packages use debsums yet, but an increasing number are being released with this capability.
Note |
An MD5sum or digest is a mathematical checksum, or "fingerprint," that can be generated for any given file. One way of creating an MD5sum is with the md5sum command-line tool. When the md5sum command is run against a file, it reads in the entire file and generates a 32-hexadecimal character label that is statistically unique to that file. If even one bit of data in the file changes, the MD5sum will be completely different the next time the digest is generated. This is a robust method for tracking the validity of files on your system, and is used in most commercial grade file alteration suites. |
Other basic Linux tools can help you keep an eye on your system and let you know what's going on, whether through e-mail or in real time. If you prefer to get regularly scheduled information through e-mail, consider logwatch. This program scans the various log files on your machine and sends a daily report (usually depending on log rotation frequency) of important system activity, ranging from e-mail access attempts to SSH login attempts on your system.
Note |
The logwatch automated monitoring service is configured by default on Red-Hat- and Fedora-Core-based systems. Do a man logwatch or locate logwatch on other systems to see if you have it installed and configured. |
If you'd rather get your information in real time from the console, consider the Red Hat System Logs tool. To run this program, issue the following command.
The tool will open, as shown in Figure 10-1. You can use the System Logs tool to look through the various log files, filter them for keywords, or even scan installed RPM packages to quickly see what version of a given package or packages you have installed.
On non-Red-Hat-based systems, the various log files are usually located in /var/log/, and these files can each be parsed or searched with your favorite tools for any of the information discussed above.
If you're ready to move beyond the basic tools included with your Linux distribution, check out some of the third-party software solutions. There are a number of excellent IDS and host-based security suites for Linux, most of which are open source, and are free. Just because they aren't installed shouldn't keep you from giving them a try.
One of the most popular and powerful IDS for Linux is Snort. This tool does real-time traffic analysis and packet logging, as well as full-blown intrusion detection. It can detect a wide range of attack, probe, or scan types. Snort can even identify buffer overflows, port scans, CGI attacks, SMB probes, OS fingerprint attempts, and stays current with all the latest signatures that the cracker community is using. Once Snort notices an intrusion attempt, it can log the attack, fire off a script, or spawn another program to rebuff it.
Tip |
Learn more about Snort at www.snort.org/about.html. |
If you need to monitor kernel system calls, check out SNARE. It's a client application and kernel module combination, which work together to set up a monitoring tool that's truly operating system-wide. Any time a system call is made, whether for a simple file permission change or a file deletion, SNARE will log the information. Note that if you're installing SNARE on a Red-Hat-based machine, you'll probably need to recompile the kernel.
Tip |
Find more information on SNARE at http://snare.sourceforge.net. |
Finally, many Linux administrators rely on Portsentry. This is a small package that can be easily integrated into your iptables- or netfilter-based firewall. Portsentry is a port scan detector and blocking tool, and does a great job of identifying would-be crackers who are rattling your doors and windows for vulnerable services. Even though it's small, it's very responsive and a critical defense mechanism to many high profile Internet sites.
Tip |
Portsentry is distributed as part of the sentrytools package, found at http://sourceforge.net/projects/sentrytools/. |