10.2. Do periodic integrity checks
Based on the baseline information you generated after installation (i.e. the snapshot described in
「Taking a snapshot of the system」), you should be able to do an integrity check from time to time. An integrity check will be able to detect filesystem modifications made by an intruder or due to a system administrators mistake.
Integrity checks should be, if possible, done offline.
That is, without using the operating system of the system to review, in order to avoid a false sense of security (i.e. false negatives) produced by, for example, installed rootkits. The integrity database that the system is checked against should also be used from read-only media.
You can consider doing integrity checks online using any of the filesystem integrity tools available (described in
「ファイルシステムの完全性を確かめる」) if taking offline the system is not an option. However, precaution should be taken to use a read-only integrity database and also assure that the integrity checking tool (and the operating system kernel) has not been tampered with.
Some of the tools mentioned in the integrity tools section, such as aide
, integrit
or samhain
are already prepared to do periodic reviews (through the crontab in the first two cases and through a standalone daemon in samhain
) and can warn the administrator through different channels (usually e-mail, but samhain
can also send pages, SNMP traps or syslog alerts) when the filesystem changes.
Of course, if you execute a security update of the system, the snapshot taken for the system should be re-taken to accommodate the changes done by the security update.