Monitor for File System Changes on Linux
Monitor for File System Changes
The most important areas with information security are preventing some events from occurring and detecting it if something still happens. Unfortunately most companies forget to put enough effort in detection unauthorized activities.
In this article we have a special look at monitoring your file system, to detect changes to your critical system files and their configuration files.
Method 1: File Integrity tools
The first method is monitoring file changes with the help of specific tools. These tools usually created “hashes” of files and store them in a database. Hashes are small cryptographic signatures of a file. Similar techniques and terms are a checksum or parity information.
With the help of these techniques, the file integrity can be determined. It works by comparing a newly created hash of a file, with the one stored earlier. If there is a mismatch, the tools will alert the system administrator.
Common tools: AIDE, Samhain, Tripwire
Method 2: Use Linux Audit framework
Another method to detect file system changes, is monitoring these files via the Linux Audit framework. Any file changed while being monitored, will fire an event and log it in an audit log. The Linux Audit framework is a very versatile solution to monitor changes to system files, but it can do more!
Besides monitoring files, it can also check for specific system calls. For example a system call to change the time of the machine, is clock_settime. While a related event as changing the time might be less risky than changing the /etc/passwd file, you want to make log an event for purposes of account and forensics.
Prevention VS Detection
While preventing issues is good, detecting them might be more valuable. This is especially true when considering you can’t protect against 100% of the threats. Opposed to only try preventing issues, it’s actually better to know something happened and then act and improve upon it.
If you care about the security of your system, use a combination of both methods. First implement prevention measures to counter most attacks. Secondly implement measures to detect the proper working (and possible failures) of your prevention measures. The usage of file integrity tools and Linux auditing together, will span a big area to cover the detection of intrusions or unauthorized activities.