20.5 Summary
Change detection, through integrity monitoring, is very useful for a
system administrator. Not only can it discover malicious changes and
act as a form of intrusion detection, but it can also detect:
Cases of policy violation by staff, in which programs are installed
or changed without following the proper notification procedure
Possible hardware failure leading to data corruption
Possible bugs in software leading to data corruption
Computer viruses, worms, or other malware
However, there are two key conditions for your mechanism to work,
whether you are using rdist, comparison copies,
checklists, RPM, or Tripwire:
The copies of software you use as your base, for comparison or
database generation, must be beyond reproach. If
you start with files that have already been corrupted, your mechanism
may report no change from this corrupted state. Thus, you should
usually initialize your software base from distribution media to
provide a known, good copy to initialize your comparison procedure.
The software and databases you use with them must be protected under
all circumstances. If an intruder can penetrate your defenses and
gain root access between scans, he can alter
your programs and edit your comparison copies and databases to
quietly accept whatever other changes are made to the system. For
this reason, you should keep the software and data on physically
protected media such as write-protected disks or removable disks. By
interposing a physical protection between this data and any attacker,
you prevent it from being altered even in the event of a total
compromise.
|