On 4/4/22 11:32 AM, Eric Thomas wrote:
> I want to have a high degree of confidence in my system's state
> (packages that have been added, configs that have changed, permissions
> changed, etc). I've read about "read only filesystems" and the
> pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm).
>
> Aside from that, is there a way to...
>
> 1. ...hash the file system in some way and monitor for changes? OR
> 2. ...somehow review changes that have taken place (a log somewhere)?
>
> The goal is to concretely know whether the state of the system has
> changed, then point to what EXACTLY has changed.
>
> Anyone doing something similar?
>
> Thank you
>
Something I came up with which worked out really well at my employer was
a backup system that used rsync and the --link-dest option to make a useful
rotated disk-based backup of current systems. When they said, "We want some
kind of file integrity monitoring system", I puzzled over all kinds of ways
to look for altered files...but it suddenly hit me -- I HAD a list of all the
altered files -- the output of the rsync --link-dest backup run!
Took that output, ran it through a "grep -vf exclusionlist", where
"exclusionlist" was a list of files (in regex form) I EXPECTED change on...and
I had a daily output of all unexpected changed files. I called it the
"File Alteration Reporting Tool", but my coworkers thought another name would
be more appropriate for some reason. :D
It was really quite interesting. Never found a real security breach (yay),
but learned a LOT of new things about the software running on our systems,
and to the point -- we found a few things that prompted us to go kicking trees
to find out what someone had done that we weren't aware of. I call that success.
Yes, I'm working on re-doing it (i.e., clean slate so my (former)employer has
no gripes (and no internal information disclosure), but if you are adept at
scripting, it wasn't too difficult.
Nick.
No comments:
Post a Comment