System Monitoring Techniques

The system supplies a variety of monitoring tools that can be used to monitor suspicious activities on the system. The logging information from subsystems, such as networking and databases, have a lot of information about connections ” where they were from and what they were doing ” especially if you utilize some of the additional tools that increase the detail in the logs.

UNIX systems provide a number of facilities which enable you to monitor the systems. There are tools which can report active users (who) and processes (ps) as well as those who have been logged-on (last). More detailed information is available from systems monitoring software.

System accounting can give a picture of who is using the system and how. Auditing can give a more detailed look at the processing and data that each user is using. These can also be used as a basis for building user profiles to be used as norms to detect deviations from these norms.

The accounting system was created to monitor, accumulate, and report the activity of users and the processes they have run in order to be able to charge-back for the resources utilized. It is able to report when users use the system and how they use the system. This information is useful when building user profiles and determining when there is a change in behavior.

The audit system examines kernel structures and reports when privileges are used or system processes are invoked. Most audit systems lack enough context information to adequately limit the reported information to these invocations which indicate a security issue and not just normal operations.

User Monitoring

User monitoring provides information about what the users are doing. Changes in the behavior of a user can indicate a potential problem. This information can imply that the account is being used by someone other than the actual user or that the user is doing things that he should not be doing.

Programs should be run which report:

• Connection time

• Time of connections

• Resource utilization

• Specific programs executed

This information is useful in identifying abnormal behavior, since most users have very regular schedules and perform basically the same amount of the same type of work.

Process Monitoring

The processes which are run on a system are generally fairly consistent. Servers run specific processes to perform their tasks , as do users. Unexpected changes in the amount of processing or the type of processing being run on a system can indicate that it is being misused.

Performance analysis tools can also be useful for system security when used to report processing that is out of the normal day-to-day processing. An unexpected change in overall system utilization or an increase in a specific user's utilization, or a process that has increased its activity ” any of these may indicate that the system is being used improperly.

Data Monitoring

File system monitoring is the process by which you compare all the relevant attributes of a file with a known secure version, in order to determine if the file has been altered in any manner. These attributes should include ownership, permissions, timestamps, file size , and a cryptographic checksum of the contents of the file. Using specific sets of these attributes allows files to be organized into groups based on their function.

The contents of a file can be tested with the file size and checksum. If these attributes have changed, then the contents of the file have changed. Ownership and permissions indicate the file's relationship with its environment. These two attributes are key to the security of a file. The timestamp of the file will indicate when the file was created, last modified, and last accessed. The following broad categories can be applied:

• Programs ” This includes executable programs, binaries, and scripts. Programs should not change, so size, checksum, ownership, permissions, creation time, and last modified time should be tested.

• Devices ” This includes all device files. Device file's major and minor numbers should not change, and all device files should be in the device directory.

• Logs ” This includes all log files. Logs are regularly appended, so the contents of these files are changing, but the ownership and permissions should not change and should be tested.

• Directories ” A directory's behavior is based on what is in the directory. A directory that contains files that do not change will not change, and all of the attributes should be tested. If it contains files that are modified, it will change. In all cases, the ownership and permissions should not be changed and should be tested.

Both existing files and new files need to be monitored . If a new file is created with the setUID or setGID bit set, then it may indicate a security problem. If device files are being created, this is probably a security problem.

Tripwire is a widely utilized tool which monitors the key attributes of files on a system. It can determine and report if any of these attributes change. These attributes include ownership of the file, the file size, the contents of the file, the file permission, and the last modified time of the file. These attributes can be grouped into classes, to which specific files can be assigned.

For example, log files should not have a change in ownership or permission, but are expected to grow larger as more records are written.