Monday, April 12, 2010

File Integrity Checkers and Rootkit Revealers for Gnu/Linux - Part 1


Are you afraid that your system has been compromised by an unauthorized access?
Have you got discovered abnormal network activities and/or do you suspect that your system has been infected by trojans or rootkit?

Is this your nightmare? ;)

No problem, there are some solutions which help system administrators to check their servers, so they can be more serene about security of their machines.

Two types of "tools" can be used to search anomalies into the system.

The first ones are called "File Integrity Checkers" (FIC) and can be used to check if a set of files has been changed during time.
For example, if you keep track of changing of the executables into folders like "/bin", "/sbin", etc. you can see if "someone" has changed "something". In this case, FIC will notify you about that.

Obiviously changes on executable could be normal (e.g. system updates), in this case you can notify your "File Integrity checker" (FIC) that changes are authorized.

On the other hand, your system could be compromised, so if you haven't done any upgrade or manual modifies to the system, the FIC can give evidence of changes.

This type of software, may be considered one of the solutions available for discovering something wrong.

The second type of "checkers" is called "rootkit revealers" and/or "antivirus". This can be considered "similar" to the windows security tools available today like Comodo, Avast, Norton, Spybot, etc. 
Usually these tools are not "realtime" like MS Windows products so they must be run using cron daemon. 

For the best protection of your GNU/Linux systems, you should consider the use of MAC (Mandatory Access Control) or RBAC.

For example, GRsecurity/Pax or Selinux add this feature to GNU/Linux (by patching the kernel).

I will discuss about them in my future posts.

Anyway, "rootkit revealers" and "antivirus" software should help you to identify which kind of "enemy" has compromised your system.

File Integrity Checkers (FIC)

There are many FIC software around, one of the most famous in the Unix environments is "Tripwire". By the way, I prefer "Afick" a FIC that is totally free and more simple to install and use.
Afick, as many other FIC solution, works by making md5 signs of "set" of files, that you will indicate into the configuration file the first time you use it.
For example, if you want keep track of the modifies of the /bin directory, Afick will generate a databases of all the md5 sign of each file contained into that directory.
The next time you will run Afick, it will check if the md5 sum of each file are the same of its database, if not it will notify you.

If you modify or update the system, you can notify Afick to update its database without producing warning alerts.

FICs are very simple and smart but they have some limitations.

1) You must keep track of each operation of the system that could modify your files and "notify" afick about modify
2) If the system will be compromised and some executable and/or file used by FIC software will be modified too, it will give you false "negatives".

So, if you suspect that something is wrong into your system, it's usefull running FIC software by starting your system from a bootable CD (e.g. Knoppix) and check it.

What are the rootkits?

A good point of start for defining what "rootkits" are is Wikipedia. It describes them as "rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.[1]"

In other words, a rookit is software that allows someone to control or have priviledges on your system... and you (the administrator) you don't know... It's a terrible thing!

Think for a minute how many crazy people are outside there... software pirates, black hats, irc bots installers, script-kiddies, etc...
All of these men, can use your system for bad purpouses.. And you'll pay for them, if they makes illegal things...

What we need to do? There are some tools called "rootkits revealers"... In the second part of this article I'll explain you how to use them. But remember, the first rules is... be "proactive" and harden your system!

Virus/Trojan threats

Virus and Trojans are software that compromize the correct functionalities of a machine.
Virus are spreaded on Windows enviroments, so there are a large number of "antivirus" for protecting these systems.
GNU/Linux Distros usually are not subject to viruses, but the services offered by the O.S. could be "the way" to spread a desease. (E.g. An infected file shared by Samba could infect a windows machine).

So GNU/Linux has many antivirus to detect virus and block them! In the second part we I'll talk about them

One more suggestion!

If you are interested in IT Security, join us at "GNU/Linux Security & Hardening" group on Linkedin

Last update: 7 Dic 2010

Creative Commons License
Digital Patch Posts by Angelo F. are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Based on a work at

No comments:

Post a Comment