home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 9.2 Detecting Change Chapter 9
Integrity Management
Next: 10. Auditing and Logging

9.3 A Final Note

Change detection, through integrity monitoring, is very useful for a system administrator. Not only can it discover malicious changes and act as a form of intrusion detection, but it can also detect:

  • Cases of policy violation by staff, where programs are installed or changed without following the proper notification procedure

  • Possible hardware failure leading to data corruption

  • Possible bugs in software leading to data corruption

  • Computer viruses, worms, or other malware

However, there are two key considerations for your mechanism to work, whether you are using rdist , comparison copies, checklists, or Tripwire:

  1. The copies of software you use as your base, for comparison or database generation, must be beyond reproach. If you start with files that have already been corrupted, your mechanism may report no change from this corrupted state. Thus, you should usually initialize your software base from distribution media to provide a known, good copy to initialize your comparison procedure.

  2. The software and databases you use with them must be protected under all circumstances. If an intruder is able to penetrate your defenses and gain root access between scans, he or she can alter your programs and edit your comparison copies and databases to quietly accept whatever other changes are made to the system. For this reason, you want to keep the software and data on physically protected media, such as write-protected disks or removable disks. By interposing a physical protection between this data and any malicious hacker, you prevent it from being altered even in the event of a total compromise.