Matthias Schmidt wrote: > You know, the best ideas often come out from > discussions :-)
I agree wholeheartedly! > In my opinion, the last modified time (ls -l) of a file is a (more or > less) reliable source. This is what I want to see: When did the file > change. The last access time (ls -lu) is not important, because it is > changed by every backup, auditing, ... tool. What's the opinion of the > community? I think for your scenario, that would be the most useful. Your original question was about change management, and in that scenario the threat is not an attacker changing the mtime. For host compromise detection, the change time should not be trusted, or at least viewed with a high degree of skepticism. Now I'll share something that many security pros probably won't agree with. I think integrity checking is one of the least useful metrics for host-based IDS. Of course this flies in the face of all of the traditional tools approach. That's pretty much their whole game. Think about it. Admins who are conscientious about security are patching every month, or in the case of staggered roll-outs, every week. This results in integrity checking alerts all the time. So, guess what happens? The brain starts to filter them out as background noise. Or quite literally, the analyst filters them out with the tool. And what are the files changed by patching? They are precisely the ones that would change in a real attack scenario. So in the end, patching systems and getting frequent alerts desensitizes the analyst to real attacks. Integrity checking is most useful *in combination* with other methods, and has to be used very judiciously. I don't necessarily care if a file in \system32 changed, but if I see a new admin account called 'haxor' AND I see these files change, then I'm worried. But even then, to be truly trustworthy one has to have confidence that the stored checksum is good, and then affected host can be examined forensically, offline. OSSEC takes a very practical approach to these issues and that's why it's one of the best out there, commercial or otherwise. But in the end, it's all in how you use it. My .02.
