Filesystem Integrity Defined

Previous page
Table of content
Next page

Maintaining system integrity is yet another layer of security meant to give you, the security administrator, a warm, fuzzy feeling. For the purposes of this chapter, the term filesystem integrity refers to the verifiable knowledge that the computer system and the objects contained therein are in a known-good state. Although that's a wide definition, filesystem integrity in this chapter will simply entail verification that the files located on the computer have not been tampered with or altered. As such, this chapter concentrates on tools to assist you in checking the files.

Practical Filesystem Integrity

Various tools are available to check the integrity of files on the system. Tripwire is a commercial offering in the area that's now been open sourced. Well, it was open source and then closed and now open, or something entirely too confusing. See Chapter 10, "Intrusion Detection Tools," for a description of Tripwire's licensing issues. In this chapter, I'll show AIDE, the Advanced Intrusion Detection Environment. AIDE is an open-source filesystem integrity-checking tool.

A basic integrity check of a file usually involves obtaining checksum values of the files on the computer and comparing that checksum against a known-good value. Checksums are sometimes also referred to as hash values or signatures. More complex checking is done by tools such as AIDE, as you'll see later in the chapter.

Checksums are frequently used to verify the integrity of a downloaded file. For example, many Linux FTP repositories contain a file called md5sums. Inside of that md5sums file are the checksums of the files as they reside on the FTP server. When you download the file, you can then run a checksum against the downloaded file. If your checksum value matches the checksum on the server, you know you have a good file. If the values don't match, something went wrong with the download and you can save some time rather than trying to work with a corrupt file or wasting a CDR.

A hands-on example would be helpful. Jump into a console and type the following:

 md5sum /etc/passwd

You'll see a value such as this:

 fc8053d1be0dcc33e8ef8264e8b8e502 /etc/passwd

Note that your value will be substantially different from mine, unless you're running the command against my password file, in which case I have other problems that need attention.

If you add a user, delete a user, or make any change that affects the password file, that md5sum value will change. For example, if you make a change to someone's name within the passwd file, the md5sum of the passwd file will change because the file's contents are now different. Continuing with the preceding example, you can change the name of the root user by running this (as root):

 chfn root

You'll be presented with various options for changing the account information for the user, beginning with the Full Name. Change the Full Name value to whatever you'd like, and continue with changes to other values if you'd like. Now running an md5sum against /etc/passwd will show a different checksum for the file:

 md5sum /etc/passwd 5a916699b172ab44c75bbfd2582849bf /etc/passwd



Previous page
Table of content
Next page
Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Beginning Cryptography with Java
101 Microsoft Visual Basic .NET Applications
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
FileMaker 8 Functions and Scripts Desk Reference
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy