Mr. Robot got at least one thing right with that “DAT” file: Files are at the root of all things security in Linux. While file integrity monitoring is an aspect of Windows security, it’s absolutely critical to Linux and Unix security. Why?
Windows hides much of its configuration in the registry behind tightly controlled Win32 API. But in Linux, the configuration is much more exposed and out there for direct access. In addition, many resources in Linux are presented as part of the file system. And of course, the programs you run on both Windows and Linux are files in the form of binary executables or scripts. Modifying or replacing these files allows attackers to implant malicious and arbitrary instructions to be executed unwittingly.
View my real training for free on-demand webinar where we will discuss these topics. View now
Most important files to protect in Linux
So, file integrity monitoring is one of the first things you need to ensure is done right when it comes to securing Linux and detecting attacks. Here’s a short list of key configuration files and directories in Linux that attackers love to get their hands on:
- There are lots of places in the Linux startup process where you can insert malicious commands or scripts such as in in your boot loader (e.g. GRUB or LILO), Kernel parameters in /proc/cmdline, daemons and services in /etc/system.d, run commands in /etc/rc.* and /etc/init.*.
- Of course, bad guys can also set up scripts to run as cron jobs. But there are other crafty ways to cause scripts to run with whenever your shell starts. For instance, with Bash, you need to watch /etc/profile, ~/.bash_profile, ~/.bash_login, ~/.profile. /home/user/.bashrc, /etc/bash.bashrc, /etc/profile.d/.
- Attackers can override DNS and cause your system to communicate with imposter systems by messing with files like /etc/hosts and /etc/resolv.conf.
- Changes to /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow are all super important to monitor because this is where user accounts, groups and password hashes are stored. Related to that are files under /etc/pam.d where password and lockout policies are stored and where sophisticated attackers can install bogus pluggable authentication modules that steal passwords.
The list of configuration files that need to be monitored goes on but it’s also important to remember that file modification risks goes beyond just configuration files. The actual code Linux runs are files too – usually called binaries. If you can change the code of the operating system you can make the OS do anything you want. Most of the core binaries are found in /bin and /sbin with more peripheral programs in /usr/bin and /usr/local/bin.
Some file based attacks don’t require you to change the actual content of the file but simply its attributes so file integrity monitoring is also about detecting attribute and permission changes such as with chattr and chmod.
Why file integrity monitoring is essential to Linux security
File integrity monitoring is integral to Linux security. But FIM usually only tells you that a file changed, not what changed in the file or who did it. That’s where privileged access management comes in – especially sudo-io logs which you can watch with sudoreplay. FIM becomes the trigger to investigate changed files and session logs help you determine the who, what and how.
BeyondTrust’s PowerBroker for Unix & Linux combines FIM and Privileged Account Management into one solution that makes it easy to stay in control of what’s happening on your systems.
View my real training for free on-demand webinar where we will discuss these topics. View now!
Randy Franklin Smith, CEO, Monterey Technology Group, Inc. CISA, SSCP, Security MVP
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.
