Backup Scripts, the FIM of the Poor
File Integrity Management or "FIM" is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. Example with a UNIX environment:
- Binaries & libraries in /usr/lib, /usr/bin, /bin, /sbin, /usr/local/bin, ...
- Configuration files in /etc
- Devices files in /dev
Depending on the applications running on the server, we can also expect that static HTML content won't change often. The deployment of a file integrity management solution has always a cost, even if some solutions are available for free like OSSEC[1].
Basically, to perform file integrity checks, the tool of your choice will read all the files from the file system, check if the content changed, then generate an event if the file has been altered. Wait, do we already have tools that do pretty much the same? Backup scripts of course! To perform differential backups, they also have to scan the complete file system for changes. What not use the output generated by those scripts to detect suspicious changes?
Plenty of backup scripts for UNIX relies on rsync[2] which is an amazing tool with interesting options. The verbosity is extremely modular. Of course, it can display the list of all files that have been added to the backup (read: that have been changed) but it can also output the file hashes by reformating the output format with "%C":
# rsync --checksum --out-format="%n %C" ...
Note: this option is not available on all rsync version, check yours.
Based on this rsync output, you can search for suspicious changes in sensitive directories like /etc ("Why did your /etc/passwd change since the last backup?") or lookup the MD5 hashes of altered binaries against VT or any other database of IOC's. Keep this in mind!
[1] http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/
[2] https://rsync.samba.org/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago