Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The Most Important Linux Files to Protect (and How)

September 25, 2017

  • Blog
  • Archive

Linux Security

Mr. Robot got at least one thing right with that “DAT” file: Files are at the root of all things security in Linux. While file integrity monitoring is an aspect of Windows security, it’s absolutely critical to Linux and Unix security. Why?

Windows hides much of its configuration in the registry behind tightly controlled Win32 API. But in Linux, the configuration is much more exposed and out there for direct access. In addition, many resources in Linux are presented as part of the file system. And of course, the programs you run on both Windows and Linux are files in the form of binary executables or scripts. Modifying or replacing these files allows attackers to implant malicious and arbitrary instructions to be executed unwittingly.

View my real training for free on-demand webinar where we will discuss these topics. View now

Most important files to protect in Linux

So, file integrity monitoring is one of the first things you need to ensure is done right when it comes to securing Linux and detecting attacks. Here’s a short list of key configuration files and directories in Linux that attackers love to get their hands on:

  • There are lots of places in the Linux startup process where you can insert malicious commands or scripts such as in in your boot loader (e.g. GRUB or LILO), Kernel parameters in /proc/cmdline, daemons and services in /etc/system.d, run commands in /etc/rc.* and /etc/init.*.
  • Of course, bad guys can also set up scripts to run as cron jobs. But there are other crafty ways to cause scripts to run with whenever your shell starts. For instance, with Bash, you need to watch /etc/profile, ~/.bash_profile, ~/.bash_login, ~/.profile. /home/user/.bashrc, /etc/bash.bashrc, /etc/profile.d/.
  • Attackers can override DNS and cause your system to communicate with imposter systems by messing with files like /etc/hosts and /etc/resolv.conf.
  • Changes to /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow are all super important to monitor because this is where user accounts, groups and password hashes are stored. Related to that are files under /etc/pam.d where password and lockout policies are stored and where sophisticated attackers can install bogus pluggable authentication modules that steal passwords.

The list of configuration files that need to be monitored goes on but it’s also important to remember that file modification risks goes beyond just configuration files. The actual code Linux runs are files too – usually called binaries. If you can change the code of the operating system you can make the OS do anything you want. Most of the core binaries are found in /bin and /sbin with more peripheral programs in /usr/bin and /usr/local/bin.

Some file based attacks don’t require you to change the actual content of the file but simply its attributes so file integrity monitoring is also about detecting attribute and permission changes such as with chattr and chmod.

Why file integrity monitoring is essential to Linux security

File integrity monitoring is integral to Linux security. But FIM usually only tells you that a file changed, not what changed in the file or who did it. That’s where privileged access management comes in – especially sudo-io logs which you can watch with sudoreplay. FIM becomes the trigger to investigate changed files and session logs help you determine the who, what and how.

BeyondTrust’s PowerBroker for Unix & Linux combines FIM and Privileged Account Management into one solution that makes it easy to stay in control of what’s happening on your systems.

View my real training for free on-demand webinar where we will discuss these topics. View now!

Randy Franklin Smith

Microsoft MVP & Windows Security Expert, and CEO at Monterey Technology Group, Inc.

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.

Randy Franklin Smith began his career in information technology in the 1980s developing software for a variety of companies. During the early 1990s, he led a business process re-engineering effort for a multi-national organization and designed several mission critical, object-oriented, client/server systems. As the Internet and Windows NT took off, Randy focused on security and led his employer's information security planning team. In 1997, he formed Monterey Technology Group, Inc. where he serves as President.

Certifications


  • Certified Information Systems Auditor (CISA)
  • Microsoft Security Most Valuable Professional (MVP)
  • Systems Security Certified Professional (SSCP)


Industry Memberships

  • Information Systems Security Association (ISSA)
  • Information Systems Audit and Control Association (ISACA)
  • Center for Internet Security (CIS)

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

Webcasts | January 21, 2021

Welcome to 2021: A BeyondTrust Global Partner Update

Webcasts

Security Wellness Check: Keeping Healthcare Safe from Ransomware & other Cyberattacks

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.