Intruders are always looking for ways into your systems, but how do you tell if someone has actually found a way in? Perpetrators often cover their tracks, make only slight changes, or simply steal information. In this tip from InformIT, author Julia Allen looks at ways to inspect files and directories for unexpected changes, one of several ways to detect signs of intrusion.
Examine the directories and files on your system, and prioritize how frequently you should check them. The more mission- or security-critical the file, the more frequently you should check it.
We recommend checking at least daily, perhaps at the start of the business day, to cover all processing done during the preceding 24 hours.
Compare the attributes and contents of files and directories to the authoritative reference (either complete copies or cryptographic checksums). Identify any files and directories whose contents or other attributes have changed.
Always access authoritative reference data directly from its secured, read-only media. Never transmit authoritative reference data over unsecured network connections, unless you use mechanisms such as digital signatures and cryptographic checksums to verify data integrity.
Identify unexpected changes and their implications
Data from log files and other data collection mechanisms will help you to analyze changes to files and directories. These include the following:
- Cryptographic checksums for all files and directories
- Lists of files, directories, attributes
- Accesses (open, create, modify, execute, delete), time, date
- Changes to sizes, contents, protections, types, locations
- Additions and deletions of files and directories
- Results of virus scanners
Also look for the following extraordinary occurrences:
- Unexpected file or directory access, creation or deletion.
- Unexpected changes to file or directory protections or access control lists. Identifying these can aid, for example, in detecting the creation of files in user home directories that can be later used for backdoor access. Improperly set access control lists on system tools may indicate that an intruder has located and executed security tools that were installed by the authorized system administrator.
- Unexpected changes to file or directory sizes, contents and other attributes. These may signify that a file or service has been replaced with the intruder's version, including the installation of a Trojan horse or backdoor. An intruder inadvertently enabling debugging can easily quadruple the size of a file.
- Unexpected changes to password files, such as unauthorized creation of new accounts and accounts with no passwords.
- Unexpected changes to system configuration files and other restricted and sensitive information, including firewall-filtering rules.
- Unusual or unexpected open files. These can reveal the presence of sniffer logs or programs.
- Violations of log file consistency (unexpected changes in file size, gaps in time between log records).
- The presence of viruses, backdoors and Trojan horses detected by scanning tools.
Intruders can use compromised systems that support a promiscuous network interface to collect host and user authentication information that is visible on the network. Sniffers are able to capture user keystrokes containing host, account and password information. The presence of some sniffers can be detected by looking for Trojan horse programs, suspect processes and unexpected modifications to files.
Your organization's networked systems security policy should establish the following guidelines:
- Users should be notified that files and directories will be examined and informed of the objective of such examinations.
- The responsibilities and authority of designated systems administrators and security personnel to examine files and directories on a regular basis for unexpected changes should be specified.
- Users should report any unexpected changes to their software and data files to system administrators or your organization's designated security point of contact.
- Some types of important files, such as log files and database tables, are expected to change frequently (perhaps several times per second). In general, the techniques described above will not be useful in distinguishing normal changes to these file types from those that might have been caused by intruders. Techniques based on transaction auditing are more useful in these cases.
- Whenever possible you should analyze and correlate data collected from multiple sources, as described in the other practices of this chapter.
Read more of this article on InformIT. Registration is required, but it is free.
This was first published in January 2002