full system IDS (Snort/Tripwire/Demarc) realistic due to noisy reports?
bofh at stremler.net
Fri Mar 29 20:51:40 PST 2002
begin quoting Christian Seberino as of Fri, Mar 29, 2002 at 06:26:05PM -0800:
> Thanks for your reply. I'm a beginner and appreciate
> all help. I'm leaning towards the camp that just
> monitors /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin
> for Trojan Horses. You mentioned monitoring
> Here are all the /etc files that have changed in *just* the
> last day or so...
Oh, that's right, Linux considers /etc to be a suitable place for
temporary files, instead of /var :(
Warning: Rank opinions follow:
> Modified: "/etc"
Something in the directory changed...
> Modified: "/etc/adjtime"
Why would this be changed?
> Modified: "/etc/dhid.pid"
Well, pid files should be in /var/run or something.
> Modified: "/etc/ioctl.save"
Don't know what this file is for.
> Modified: "/etc/issue"
Ah, yes, this is frequently generated under Linux for some stupid reason.
This should be a static file, like motd.
> Modified: "/etc/ld.so.cache"
This is a cache file for the linker. My personal preference would be
> Modified: "/etc/motd"
This should be touched by you, as root, and only by you.
> Modified: "/etc/mtab"
This is meant to be a dynamic list of the files that are currently
mounted, no? Surely that belongs in /proc....
> Modified: "/etc/random-seed"
Should only change at shutdown, no?
> If you want to monitor /etc who know what you'll
> get the next day?!?!
You should watch some of the important files in /etc: passwd, shadow,
group, hosts, hosts.allow, hosts.deny, the init.d files, inetd.conf,
I feel that /etc should be able to be mounted on a read-only partition;
ideally, you'd have to drop to single-user in order to change any of
the entries. (Even if that makes adding users or changing user information
a bit more difficult... there should be the _option_.)
-Stewart "I begin to see why some people are frustrated with /etc." Stremler
More information about the KPLUG-List