Matthias Schmidt wrote:
> You know, the best ideas often come out from
> discussions :-)

I agree wholeheartedly!

> In my opinion, the last modified time (ls -l) of a file is a (more or
> less) reliable source. This is what I want to see: When did the file
> change. The last access time (ls -lu) is not important, because it is
> changed by every backup, auditing, ... tool. What's the opinion of the
> community?

I think for your scenario, that would be the most useful.  Your original 
question was about change management, and in that scenario the threat is 
not an attacker changing the mtime.

For host compromise detection, the change time should not be trusted, or 
at least viewed with a high degree of skepticism.

Now I'll share something that many security pros probably won't agree 
with.  I think integrity checking is one of the least useful metrics for 
  host-based IDS.  Of course this flies in the face of all of the 
traditional tools approach.  That's pretty much their whole game.

Think about it.  Admins who are conscientious about security are 
patching every month, or in the case of staggered roll-outs, every week. 
   This results in integrity checking alerts all the time.  So, guess 
what happens?  The brain starts to filter them out as background noise. 
  Or quite literally, the analyst filters them out with the tool.

And what are the files changed by patching?  They are precisely the ones 
that would change in a real attack scenario.  So in the end, patching 
systems and getting frequent alerts desensitizes the analyst to real 
attacks.

Integrity checking is most useful *in combination* with other methods, 
and has to be used very judiciously.  I don't necessarily care if a file 
in \system32 changed, but if I see a new admin account called 'haxor' 
AND I see these files change, then I'm worried.

But even then, to be truly trustworthy one has to have confidence that 
the stored checksum is good, and then affected host can be examined 
forensically, offline.

OSSEC takes a very practical approach to these issues and that's why 
it's one of the best out there, commercial or otherwise.  But in the 
end, it's all in how you use it.

My .02.

Reply via email to