Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 9.2 Detecting ChangeChapter 9
Integrity Management
Next: 10. Auditing and Logging

9.3 A Final Note

Change detection, through integrity monitoring, is very useful for a system administrator. Not only can it discover malicious changes and act as a form of intrusion detection, but it can also detect:

However, there are two key considerations for your mechanism to work, whether you are using rdist, comparison copies, checklists, or Tripwire:

  1. The copies of software you use as your base, for comparison or database generation, must be beyond reproach. If you start with files that have already been corrupted, your mechanism may report no change from this corrupted state. Thus, you should usually initialize your software base from distribution media to provide a known, good copy to initialize your comparison procedure.

  2. The software and databases you use with them must be protected under all circumstances. If an intruder is able to penetrate your defenses and gain root access between scans, he or she can alter your programs and edit your comparison copies and databases to quietly accept whatever other changes are made to the system. For this reason, you want to keep the software and data on physically protected media, such as write-protected disks or removable disks. By interposing a physical protection between this data and any malicious hacker, you prevent it from being altered even in the event of a total compromise.

Previous: 9.2 Detecting ChangePractical UNIX & Internet SecurityNext: 10. Auditing and Logging
9.2 Detecting ChangeBook Index10. Auditing and Logging