Naturally, monitoring the content of an entire system seems like
the right thing to do because it leaves no file untouched. However,
with systems that are particularly volatile, this mode of monitoring
can produce mounds of alert data. Therefore, you should carefully
consider if this monitoring solution is right for you. In many
cases the answer will be yes. In any case, you should baseline
your entire system before connecting it to an exposed network.
Keep this baseline in a safe place in case you need to refer to it
at some later point in time.
System Critical Files
Sometimes it's desirable to track fewer files more often. The
trade-off is the fact that you can't detect all changes that occur
on your system, but this may not be necessary or practical.
For example, to ensure deep and prolonged access to a compromised
site, the intruder must (1) install a secret backdoor, (2) be able
to compromise the system at will, or (3) acquire sufficient
information to impersonate a legitimate insider. Cases two and
three are difficult for an integrity monitoring tool to detect
unless they produce predictable change. Case one, however, can
often be readily detected because it usually requires the intruder
to modify one or more system files.
A classic example of this is the popular rootkit. Typically,
rootkits contain Trojanized system binaries such as ls, netstat,
ifconfig, ps, and so on. This implies that you have a good chance
of detecting the presence of a rootkit, simply by monitoring the
content in your system directories. Note: this assumes that FTimes,
the libraries it uses, and the kernel have not been compromised.
Mission and Application Critical Files
Another area where it's desirable to track fewer files more often
is Mission and Application specific files. For example, one could
monitor the integrity of a Web site every 15 minutes or the home
page every minute. Suppose you run a large software development
project, you could use FTimes to monitor the production build
environment to ensure that any changes are detected.
A good hybrid approach to Integrity Monitoring would be to create
multiple profiles that can independently monitor different and/or
overlapping parts of your system. For example, you could define
three profiles: (1) mission critical files every 15 minutes, (2)
system critical files every hour, and (3) everything once a day.
This approach has the added benefit of distributing the load imposed