Monitor for File System Changes on Linux

Monitor for File System Changes

The most important areas with information security are preventing some events from occurring and detecting it if something still happens. Unfortunately most companies forget to put enough effort in detection unauthorized activities.

In this article we have a special look at monitoring your file system, to detect changes to your critical system files and their configuration files.

Method 1: File Integrity tools

The first method is monitoring file changes with the help of specific tools. These tools usually created “hashes” of files and store them in a database. Hashes are small cryptographic signatures of a file. Similar techniques and terms are a checksum or parity information.

With the help of these techniques, the file integrity can be determined. It works by comparing a newly created hash of a file, with the one stored earlier. If there is a mismatch, the tools will alert the system administrator.

Common tools: AIDE, Samhain, Tripwire

Method 2: Use Linux Audit framework

Another method to detect file system changes, is monitoring these files via the Linux Audit framework. Any file changed while being monitored, will fire an event and log it in an audit log. The Linux Audit framework is a very versatile solution to monitor changes to system files, but it can do more!

Besides monitoring files, it can also check for specific system calls. For example a system call to change the time of the machine, is clock_settime. While a related event as changing the time might be less risky than changing the /etc/passwd file, you want to make log an event for purposes of account and forensics.

Prevention VS Detection

While preventing issues is good, detecting them might be more valuable. This is especially true when considering you can’t protect against 100% of the threats. Opposed to only try preventing issues, it’s actually better to know something happened and then act and improve upon it.

If you care about the security of your system, use a combination of both methods. First implement prevention measures to counter most attacks. Secondly implement measures to detect the proper working (and possible failures) of your prevention measures. The usage of file integrity tools and Linux auditing together, will span a big area to cover the detection of intrusions or unauthorized activities.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.