How to be sure, that the system I use has not been touched? Strategies like disk encryption, system hardening and intrusion detection may be useful, but can they help against user generated security problems like installing closed source binaries as Dropbox or entering a password into faked password popups? Even if privilege escalations by exploited browser plugins, man-in-the-browser, or other clickjacking trojans may not trick me, one never knows.
Some suggest to have a thorough look into preinstalled browser CAs or to invest time for active blacklisting – still system files may be changed by whatever unwanted, untracked, secret activity. It may be a good idea to keep track of all changes with .
One option to have some scripts for croned crc checks () or setup a filesystems with crc features like Btrfs or Ext4 Metadata Checksums. However there is no reason to not use
samhain – Data integrity and host intrusion alert system¶
Samhain is an integrity checker and host intrusion detection system that
can be used on single hosts as well as large,
UNIX-based networks.
It supports central monitoring as well as powerful (and new) stealth
features to run undetected on memory using steganography.
.
Main features
- Complete integrity check
+ uses cryptographic checksums of files to detect
modifications,
+ can find rogue SUID executables anywhere on disk, and
- Centralized monitoring
+ native support for logging to a central server via encrypted
and authenticated connections
- Tamper resistance
+ database and configuration files can be signed
+ logfile entries and e-mail reports are signed
+ support for stealth operation
stealth – stealthy File Integrity Checker¶
The
STEALTH program performs File Integrity Checks on (remote) clients. It
differs from other File Integrity Checkers by not requiring baseline
integrity data to be kept on either write-only media or in the client’s file
system. In fact, clients will hardly contain any indication suggesting that
they are being monitored, thus improving the stealthiness of the integrity
scans.
.
STEALTH uses standard available software to perform file integrity checks
(like find(1) and sha1sum(1)). Using individualized policy files, it is
highly adaptable to the specific characteristics of its clients.
.
In production environments
STEALTH should be run from an isolated computer
(called the `
STEALTH monitor’). In optimal configurations the
STEALTH
monitor should be a computer not accepting incoming connections. The account
used to connect to its clients does not have to be `root’; usually
read-access to the client’s file system is enough to perform a full integrity
check. Instead of using `root’ a more restrictive administrative or
ordinary account might offer all necessary requirements for the desired
integrity check.
.
STEALTH itself must communicate with the computers it should monitor. It is
essential that this communication is secure.
STEALTH configurations
therefore normally specify
SSH as the command-shell to use for connecting to
clients.
STEALTH may be configured so as to use but one
SSH connection per
client, even if integrity scans are to be performed repeatedly. Apart from
this, the
STEALTH monitor is commonly allowed to send e-mail to remote
client systems’ maintainers.
.
STEALTH-runs itself may start randomly within specified intervals. The
resulting unpredicability of
STEALTH-runs further increases STEALTH’s
stealthiness.
.
STEALTH’s acronym is expanded to `Ssh-based Trust Enforcement Acquired
through a Locally Trusted Host’: the client’s trust is enforced, the locally
trusted host is the
STEALTH monitor.
