Monitor for File System Changes on Linux

The most important areas with information security are preventing some events from occurring and detecting it if something still happens. Unfortunately most companies forget to put enough effort in detection unauthorized activities.

In this article we have a special look at monitoring your file system, to detect changes to your critical system files and their configuration files.

Method 1: File Integrity tools

The first method is monitoring file changes with the help of specific tools. These tools usually created “hashes” of files and store them in a database. Hashes are small cryptographic signatures of a file. Similar techniques and terms are a checksum or parity information.

With the help of these techniques, the file integrity can be determined. It works by comparing a newly created hash of a file, with the one stored earlier. If there is a mismatch, the tools will alert the system administrator.

Common tools: AIDE, Samhain, Tripwire

Method 2: Use Linux Audit framework

Another method to detect file system changes, is monitoring these files via the Linux Audit framework. Any file changed while being monitored, will fire an event and log it in an audit log. The Linux Audit framework is a very versatile solution to monitor changes to system files, but it can do more!

Besides monitoring files, it can also check for specific system calls. For example a system call to change the time of the machine, is clock_settime. While a related event as changing the time might be less risky than changing the /etc/passwd file, you want to make log an event for purposes of account and forensics.

Prevention VS Detection

While preventing issues is good, detecting them might be more valuable. This is especially true when considering you can’t protect against 100% of the threats. Opposed to only try preventing issues, it’s actually better to know something happened and then act and improve upon it.

If you care about the security of your system, use a combination of both methods. First implement prevention measures to counter most attacks. Secondly implement measures to detect the proper working (and possible failures) of your prevention measures. The usage of file integrity tools and Linux auditing together, will span a big area to cover the detection of intrusions or unauthorized activities.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon