The FTimes Project The HashDig Project The WebJob Project The PaD Project
Location: / Home / FTimes / FTimes in Action / Integrity Monitoring
FTimes in Action
FTimes
Home
All Files

Naturally, monitoring the content of an entire system seems like the right thing to do because it leaves no file untouched. However, with systems that are particularly volatile, this mode of monitoring can produce mounds of alert data. Therefore, you should carefully consider if this monitoring solution is right for you. In many cases the answer will be yes. In any case, you should baseline your entire system before connecting it to an exposed network. Keep this baseline in a safe place in case you need to refer to it at some later point in time.

System Critical Files

Sometimes it's desirable to track fewer files more often. The trade-off is the fact that you can't detect all changes that occur on your system, but this may not be necessary or practical.

For example, to ensure deep and prolonged access to a compromised site, the intruder must (1) install a secret backdoor, (2) be able to compromise the system at will, or (3) acquire sufficient information to impersonate a legitimate insider. Cases two and three are difficult for an integrity monitoring tool to detect unless they produce predictable change. Case one, however, can often be readily detected because it usually requires the intruder to modify one or more system files.

A classic example of this is the popular rootkit. Typically, rootkits contain Trojanized system binaries such as ls, netstat, ifconfig, ps, and so on. This implies that you have a good chance of detecting the presence of a rootkit, simply by monitoring the content in your system directories. Note: this assumes that FTimes, the libraries it uses, and the kernel have not been compromised.

Mission and Application Critical Files

Another area where it's desirable to track fewer files more often is Mission and Application specific files. For example, one could monitor the integrity of a Web site every 15 minutes or the home page every minute. Suppose you run a large software development project, you could use FTimes to monitor the production build environment to ensure that any changes are detected.

Multiple Profiles

A good hybrid approach to Integrity Monitoring would be to create multiple profiles that can independently monitor different and/or overlapping parts of your system. For example, you could define three profiles: (1) mission critical files every 15 minutes, (2) system critical files every hour, and (3) everything once a day. This approach has the added benefit of distributing the load imposed by FTimes.

more...

Copyright 2000-2014 The FTimes Project, All Rights Reserved.
The FreeBSD Project SourceForge Logo KoreLogic, Inc.