Sensitive directory/file Integrity Monitoring and Checking

Sensitive directory/file Integrity Monitoring and Checking

catalogue

1. OSSEC
2. HashSentry: Host-Based IDS in Python
3. Afick
4. 檢測流程      

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

1. log analysis
2. integrity checking
3. Windows registry monitoring
4. rootkit detection
5. real-time alerting and active response      

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

1. owner
2. permissions
3. modification time.      

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).

During its implementation, a file integrity monitoring project may face two common issues:

1. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
2. The process must be fine tuned to react only on important changes otherwise they are two risks: 
    1) The real suspicious changes will be hidden in the massive flow of false-positives. 
    2) People in charge of the control could miss interesting changes.      

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/
https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/      

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

1. The remote File System is mounted using sshfs
2. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)
3. Alerts are sent to the sysadmin in case a file is modified or a new file appears      

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor      

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.

The configuration syntax is very close from tripwire/aide

0x1: functionnalities

1. portable without any change to all common operating systems (windows, UNIX ...)
2. easy install : no need to compile or to install many others tools
3. fast
4. display new/deleted/modified files
5. display dangling links
6. may be used by any user
7. any number of base and config
8. config file with exceptions and jokers
9. configuration file syntax close from aide's one
10. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface      

https://sourceforge.net/projects/afick/
http://afick.sourceforge.net/      

4. 檢測流程

1. 周遊目标目錄所有檔案
2. 擷取meta資訊
    1) filepath
    2) hashsum
    3) gmt_create
    4) gmt_modified
3. 計算filepath的hash值，定位到sqlite裡的hash(filepath)記錄，如果未找到對應記錄，則說明該檔案是新增的
    1) 需要額外判斷一下目前是否是本機第一次運作(基線建立)，第一次運作則忽略
    2) 如果不是第一次運作，則上報異常檔案新增事件
4. 如果成功定位到定位到sqlite裡的hash(filepath)記錄，擷取gmt_create、gmt_modified，比對和目前檔案的gmt_create、gmt_modified是否相同，如果相同，則說明目前檔案沒有修改，則直接跳過
5. 如果gmt_create、gmt_modified不一緻，則說明有可能被修改了(因為可能vim打開一次也會導緻gmt_create、gmt_modified的改變)，計算對應檔案内容的HASH值，并和hash(filepath)記錄對應記錄裡的hash進行比對，如果不一緻說明檔案被修改了，上報該條記錄，并更新sqlite緩存記錄      

敏感目錄的檔案完整性監控，是對惡意軟體犯罪行為的一個普适抽象，即不管這是個什麼馬，在linux要實作持久存活，都有極大可能會往/etc/init.d/下面寫入新檔案，或者修改已有檔案

http://securityxploded.com/pymal.php
https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check
http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor
http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri
http://liw.iki.fi/liw/download/md5sum.py
https://github.com/clouserw/scripts/blob/master/md5verify.py
https://bbs.archlinux.org/viewtopic.php?id=83839
https://pypi.python.org/pypi/hsh/      

Copyright (c) 2016 LittleHann All rights reserved