Download fcheck (see resources) and unpack it. fcheck is a cross-platform Perl script which runs on
UNIX and Windows systems (as long as they have Perl installed).
$mkdir /usr/local/fcheck
$cp fcheck /usr/local/fcheck
$cp fcheck.cfg /usr/local/fcheck
Edit /usr/local/fcheck/fcheck.cfg with your favorite editor and change the following values:
Directory, FileTyper, Database, Logger, TimeZone, and Signature.
# Directories that will be monitored
# if there is a trailing / it will be recursive
Directory = /etc/
Directory = /bin/
Directory = /sbin/
Directory = /lib/
Directory = /usr/bin/
Directory = /usr/sbin/
Directory = /usr/lib/
TimeZone = PST8PDT # For Pacific Standard
# Database of file signatures
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -t fcheck
# Utility to determin file type
FileTyper = /bin/file
# What to use to create signatures Database of
# file signatures
$Signature = /usr/bin/md5sum#
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -tfcheck
# Utility to determin file type
FileTyper = /bin/file
Also edit the fcheck script and change the path of the configuration file to
/usr/local/fcheck/fcheck.cfg
Then run fcheck for the first time to create the baseline database.
# Options explained:
# c create the database
# a is for all
# d is to monitor directory creation
# s is to create signatures for all files
# x is for extended permissions monitoring
$ ./fcheck -cadsx
To test that everything has been setup correctly run the following commands and fcheck should alert you to
the difference.
$ touch /etc/FOO
$ ./fcheck -adsx
fcheck should display some information about /etc/FOO. $rm /etc/FOO will prevent future messages.
Next, create a short shell script that will be run periodically by cron and check for changes. Open your
favorite editor and create /usr/local/bin/fcheck_script.
When using the `cron` utility lookout for _symlink attacks_
#!/bin/bash
# Use mktemp instead of $$ to prevent sym-link attacks
FCHECK_LOG=`mktemp`
# Grep for any changes
/usr/local/fcheck/fcheck -adsx \
| grep -Ev ^PROGRESS: |^STATUS:^$ > $FCHECK_LOG
# If there were any changes email the sys-admin
if [-s $FCHECK_LOG ] then
/usr/bin/mail -s fcheck \
`hostname` youremail@yourprovider.com < \
$FCHECK_LOG
/bin/rm $FCHECK_LOG
fi
The cron utility will be used to run periodic checks of the file-system and will compare it to the baseline
database. The following command will edit root’s crontab:
$ crontab -e
# Add this line to run the script every 15 minutes
# using nice lower priority when the system load
# is high.
*/15 * * * * nice /usr/local/bin/fcheck_script > \
/dev/null
Symlink Attacks
Side Note: Symlink Attacks running an IDS package usually involve running a script at a pre-configured time
using the cron utility. This opens up systems to symlink attacks. Symlink Attacks rely on the attacker knowing
that a certain file is going to be created at a certain time with a certain name. A common shell scripting
technique that generates some randomness is the use of $$, which is the PID of the running script. However,
this is vulnerable to Symlink Attacks because most PIDs are below 35K and most file systems can have 35K
files. The correct technique is the use of mktemp, which is a truly random file name.
UNIX and Windows systems (as long as they have Perl installed).
$mkdir /usr/local/fcheck
$cp fcheck /usr/local/fcheck
$cp fcheck.cfg /usr/local/fcheck
Edit /usr/local/fcheck/fcheck.cfg with your favorite editor and change the following values:
Directory, FileTyper, Database, Logger, TimeZone, and Signature.
# Directories that will be monitored
# if there is a trailing / it will be recursive
Directory = /etc/
Directory = /bin/
Directory = /sbin/
Directory = /lib/
Directory = /usr/bin/
Directory = /usr/sbin/
Directory = /usr/lib/
TimeZone = PST8PDT # For Pacific Standard
# Database of file signatures
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -t fcheck
# Utility to determin file type
FileTyper = /bin/file
# What to use to create signatures Database of
# file signatures
$Signature = /usr/bin/md5sum#
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -tfcheck
# Utility to determin file type
FileTyper = /bin/file
Also edit the fcheck script and change the path of the configuration file to
/usr/local/fcheck/fcheck.cfg
Then run fcheck for the first time to create the baseline database.
# Options explained:
# c create the database
# a is for all
# d is to monitor directory creation
# s is to create signatures for all files
# x is for extended permissions monitoring
$ ./fcheck -cadsx
To test that everything has been setup correctly run the following commands and fcheck should alert you to
the difference.
$ touch /etc/FOO
$ ./fcheck -adsx
fcheck should display some information about /etc/FOO. $rm /etc/FOO will prevent future messages.
Next, create a short shell script that will be run periodically by cron and check for changes. Open your
favorite editor and create /usr/local/bin/fcheck_script.
When using the `cron` utility lookout for _symlink attacks_
#!/bin/bash
# Use mktemp instead of $$ to prevent sym-link attacks
FCHECK_LOG=`mktemp`
# Grep for any changes
/usr/local/fcheck/fcheck -adsx \
| grep -Ev ^PROGRESS: |^STATUS:^$ > $FCHECK_LOG
# If there were any changes email the sys-admin
if [-s $FCHECK_LOG ] then
/usr/bin/mail -s fcheck \
`hostname` youremail@yourprovider.com < \
$FCHECK_LOG
/bin/rm $FCHECK_LOG
fi
The cron utility will be used to run periodic checks of the file-system and will compare it to the baseline
database. The following command will edit root’s crontab:
$ crontab -e
# Add this line to run the script every 15 minutes
# using nice lower priority when the system load
# is high.
*/15 * * * * nice /usr/local/bin/fcheck_script > \
/dev/null
Symlink Attacks
Side Note: Symlink Attacks running an IDS package usually involve running a script at a pre-configured time
using the cron utility. This opens up systems to symlink attacks. Symlink Attacks rely on the attacker knowing
that a certain file is going to be created at a certain time with a certain name. A common shell scripting
technique that generates some randomness is the use of $$, which is the PID of the running script. However,
this is vulnerable to Symlink Attacks because most PIDs are below 35K and most file systems can have 35K
files. The correct technique is the use of mktemp, which is a truly random file name.
No comments:
Post a Comment