Make CERTain Your Files Are Secure
Article 6/98
The Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, Pennsylvania, is well known around the world for its leadership role in computer security. It provides valuable information and tools for data security officers everywhere. I was recently checking the web site at www.cert.org and want to share some of their resources with you. The emphasis of CERT materials is directed at UNIX, but there are valuable lessons there for VOS users as well.
One of the items available at the web site is an intruder detection checklist. This contains things to look for and things to guard against to prevent unauthorized access (internal or external) to your system. One of the items on that list is: "Check your system binaries to make sure that they haven't been altered." They then reference a number of UNIX commands that have been reported altered in security incidents.
In VOS, we are somewhat protected from this because many critical system commands are internal to the operating system and very difficult to alter. However, external commands are simply files sitting in the directory structure and much more vulnerable. In the CERT information module, "Detecting Signs of Intrusion", they provide these pointers for securing files:
"Maintain authoritative reference data for critical files and directories." This includes information such as location in the file system, alternate paths to it (in VOS, directory links), size, modification dates and author, access settings, and contents. Much of this information is available directly from VOS. Most of the details CERT refers to are part of the display_file_status output. You can search your disks to find links to a file and to find access settings.
Checking file contents is a little more difficult. You will need a tool to create a checksum from the contents of a file. This is fairly fast and easy. Remember, however, that a checksum can be fooled by a simple, complementary arithmetic operation. For better security, you might want to use a more robust algorithm, such as an encryption sum or cyclic redundancy, which could detect single bit changes.
"Verify the integrity of directories and files according to your established schedule." You have, of course, established a schedule for monitoring these things... Once you have the information described above, you need to file it away in some sort of database so that you can compare back to it to find changes. Don't forget that the database itself needs to be encrypted, or on read-only media, or otherwise protected against tampering.
"Identify any missing files or directories. Identify any new files and directories." Your database should allow you to check the current directory against the saved entries to find these conditions.
As CERT points out, a common practice for intruders is to substitute a Trojan horse program for a system tool to hide their activities. This allows them to hide the intrusion for a longer period of time. According to CERT, there have been cases where intruders were not discovered for months after they got on the system. Make sure that you guard your critical files as if your business depended on them.
| 
