Implement integrity auditing with basic utilities

The computing world is full of security tools. Ultimately, however, the only tool that can provide you with something approaching 100 percent certainty that your system hasn't been compromised by a malicious security cracker is an integrity auditing tool.

Integrity auditing tools are many and varied, but they all provide essentially the same functionality: They tell you when changes have been made to your system. Initially, the tool is used to create some kind of "snapshot" of the system. This first snapshot is made when the system is in a "known good" state, without any security compromises.

Later, another snapshot is taken, and the two are compared. The more sophisticated integrity auditing tools are capable of checking only specific parts of the system, marking certain parts as constantly changing and to be ignored, reporting individual changes and asking for confirmation that they're expected and authorized, and so on.

As with almost any other security tool, however, integrity auditing doesn't necessarily require a complex tool -- or a lot of work to implement and manage. Once you understand the principles, system utilities for which you may previously have seen little purpose can suddenly start to look more like exactly the security tools you need. Even the most mundane of tools can become highly effective security systems.

  1. Tripwire is probably the most widely recognized, and most widely used, professional-grade integrity auditing system. The original commercial software is called Tripwire Change Auditing, but there's an open source version of it as well that's available for any major open source UNIX-like operating system.
  2. Rsync is regarded by most as a backup tool. It's little more than a way to copy data from one location to another, where any parts of the data being copied that haven't changed since the last time you copied it don't have to be recopied. It's intended to make backups faster by only requiring the system to copy the parts of the data that have changed since the last backup. To do this, however, rsync must keep track of what was copied previously and compare it against the new version. This should sound suspiciously like a snapshot comparison, as described above. The rsync tool uses a lot of disk space to accomplish integrity auditing because it must maintain a copy of the filesystem to be audited, but if you're maintaining backups with rsync regardless of integrity auditing, it's a trivial thing to change the way you use rsync so that it can provide filesystem integrity auditing as well as data security through backups.
  3. Mtree is a widely available BSD UNIX utility used to "map a directory hierarchy," in the words of the FreeBSD mtree manpage. The manpage goes on to explain that it "compares the file hierarchy rooted in the current directory against a specification read from the standard input." In brief, this means that you can use a specification (something like a snapshot) as a point of comparison for a filesystem. Again, we have a utility whose operation sounds suspiciously like the basic principles of integrity auditing. While most, if not all, Linux distributions lack mtree, it's part of the base system for FreeBSD, NetBSD, and OpenBSD, as well as for Darwin -- the open source core of the proprietary Mac OS X operating system. While installing the open source Tripwire and rsync tools on any given open source UNIX-like OS is only a few keystrokes and a quick download away, mtree is already part of your basic install with BSD UNIX systems.

There are hundreds of other options just waiting to be discovered and implemented, based on your specific needs and the software available to you. MD5 checksums, for instance, can be generated for a given filesystem. These checksums could then be compared against one another to determine whether any changes have been made. Other checksum algorithms exist as well, and for additional layers of integrity auditing security, you could even perform checksum comparisons using multiple algorithms to provide reassurance that the first checksum comparison wasn't itself somehow compromised.

Of course, your integrity auditing software may be compromised as well. A rootkit can affect Tripwire, rsync, mtree, or md5 just as easily as it can affect ls and your shell. This is why it's usually a good idea to run your integrity auditing software from a separate system or even from read-only media such as a (nonrewritable) CD.

A reasonably safe solution might involve a dedicated integrity auditing machine that doesn't allow new incoming connections at all but can mount any filesystems that require integrity auditing on other machines within your network, perhaps via an encrypted network filesystem tool such as SSHFS that doesn't require explicit filesystem export. Once the target filesystem is mounted, a tool such as mtree on the integrity auditing machine can be used to audit the filesystem's integrity. This provides reasonable protection against unauthorized network access to the integrity auditing system, which in turn protects the integrity auditing tools on the system from being compromised and providing falsely reassuring results.

While this information can give you a good start on ideas for how to implement an integrity auditing procedure, the real lesson to be learned is that sometimes a deceptively simple, often overlooked tool that you already have at your fingertips can provide all the functionality you need. Never let the lack of a security budget serve as an excuse to give up on security, and always be on the lookout for ways to learn security principles rather than merely memorizing procedures -- and ways to implement those principles in new ways. You might discover a new way is also the best way for your purposes.