Detecting Changes After the Fact
As we saw in the last section, there may be circumstances in which we cannot use read-only media to protect files and directories. Or, we may have a case in which some of the important files are relatively volatile and need to change on a regular basis. In cases such as these, we want to be able to detect whether unauthorized changes occur.
There are basically three approaches to detecting changes to files and inodes:
Use comparison copies of the data to be monitored. This is the most reliable way.
Monitor metadata about the items to be protected. This includes monitoring the modification time of entries as kept by the operating system, and monitoring any logs or audit trails that show alterations to files.
Use some form of signature of the data to be monitored, and periodically recompute and compare the signature against a stored value.
Each of these approaches has drawbacks and benefits, as we discuss in the following sections. But before we explain them in detail, we need to explain a fundamental problem common to all of these schemes.
The Achilles Heel of Integrity Management Systems
The remainder of this chapter describes several different integrity management systems. All of these systems perform more or less the same function: they examine files on a computer’s disk drive to determine whether the files have been changed in any significant way.
Although there are many reasons that you might want to examine the integrity of your system’s files, one ...
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
