20.5 Summary

Change detection, through integrity monitoring, is very useful for a system administrator. Not only can it discover malicious changes and act as a form of intrusion detection, but it can also detect:

• Cases of policy violation by staff, in which programs are installed or changed without following the proper notification procedure

• Possible hardware failure leading to data corruption

• Possible bugs in software leading to data corruption

• Computer viruses, worms, or other malware

However, there are two key conditions for your mechanism to work, whether you are using rdist, comparison copies, checklists, RPM, or Tripwire:

• The copies of software you use as your base, for comparison or database generation, must be beyond reproach. If you start with files that have already been corrupted, your mechanism may report no change from this corrupted state. Thus, you should usually initialize your software base from distribution media to provide a known, good copy to initialize your comparison procedure.

• The software and databases you use with them must be protected under all circumstances. If an intruder can penetrate your defenses and gain root access between scans, he can alter your programs and edit your comparison copies and databases to quietly accept whatever other changes are made to the system. For this reason, you should keep the software and data on physically protected media such as write-protected disks or removable disks. By interposing a physical protection between this data and any attacker, you prevent it from being altered even in the event of a total compromise.