[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Integrity checking database query...

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] Integrity checking database query...
From: "Jess Bromley" <j.bromley@xxxxxxxxxxxxx>
Date: Thu, 9 Aug 2007 12:58:29 +0100
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=IdIlYeYTQSkIDE9ZiCwNMZHMcUbwadmPLGwhrkfaz/GJZv76W1LoUv0GqebYtAC1N318m3ajCw4x3eGFfiTFCpKjdTMt0PaPuMPp/GtcqOUH9nUpfoOqkbbL4duoHO2VsujdzCiKjnc3JaJantBp80spl9hR7I7Njr1dye7yFXc=

Hi all,

I'm currently running both tripwire and ossec-hids on a small server
in my department.  The server is shortly to be overhauled and a newer
version of the OS installed.  As a result I am thinking about
switching to using *just* ossec-hids rather than combining it with
tripwire.  However I have a few concerns about how ossec-hids stores
its file integrity database that I was hoping someone on this list
might be able to illuminate for me...

Since I run ossec-hids in its "local" configuration my concern is
basically that an intruder could modify the file integrity database to
cover up modifications to system files he/she has made.

Under tripwire this is prevented because the file integrity database
(the list of MD5/SHA values, file permissions, inode values etc.) is
cryptographically signed.  The periodic filesystem checker can read
the file without user intervention, but to make any modifications to
the database the admin must supply the password for the cryptographic
key to resign the altered database.

Thus an intruder can never alter the database, although he/she can
delete the database and stop the cronjob running tripwire.  Which
means that, provided the admin kept a copy of the database (in the
case it was deleted), the admin can always determine which files in
the system have been tampered with.

Does ossec-hids allow for any signing of its integrity database, or is
this planned in the near future?  Or is the argument rather that the
syschecker runs so frequently that an intruder would not have time to
cover their tracks by modifying the database before at least one email
alert was sent out to the admin alerting him/her of the intrusion?
Although in the latter case this still leaves you with having to
reinstall the entire OS, since after the initial email alert you can
no longer trust the database and so identify just the modified system
files that need replacing...

I'm afraid I don't feel competent enough to examine the source code
and determine for myself exactly what ossec-hids does!

On a similar note is there any advantage to be gained from combining
ossec-hids's rootkit checker with chkrootkit, or is this needless
duplication?

Thanks,
J Bromley

Follow-Ups:
- [ossec-list] Re: Integrity checking database query...
  - From: Jeff Schroeder

Prev by Date: [ossec-list] Replaying old logs
Next by Date: [ossec-list] Proposal for the Web User Interface
Previous by thread: [ossec-list] Re: Replaying old logs
Next by thread: [ossec-list] Re: Integrity checking database query...
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.