1

I was exploring possibilities with Touch command, while I forged following situation in my mind.

  1. Suppose there are two admin's or super users (User A and User B) of a Machine/Server.

  2. UserB is performing malicious activities, in this case let us consider User B is modifying file signatures using touch command.

Questions

  1. How can User A identify these modifications?

  2. If there is only one admin and his system is compromised. How is it possible for admin to detect the malicious activities.

One possible approach to detect such intrusion is to check system logs, but what if the intruder/attacker has somehow modified system logs.

muru
  • 207,228
Chinmaya B
  • 7,022
  • 7
  • 27
  • 43

3 Answers3

2

You can try to use auditd for logging access to files (and more), but if an attacker gains access to your machine as superuser, then it is possible that all logs and traces are wiped without any way to detect it.

One possible mitigation is to enable remote logging (over the network) or use some other hardware that allows to append data only without the ability to overwrite stuff.

If you suspect a compromise and want to investigate it, you are entering the area of forensics. Depending on the sloppiness of the attacker this may succeed or fail. Examples include forgetting to remove a .bash_history or log files and deleting files without shredding it.

You mention "file signature", but "touch" only modifies the metadata of the file. These are stored in a filesystem-specific format on the underlying disk device. Usually unprivileged programs cannot directly modify the underlying disk device. Instead they communicate with the kernel using system calls and request modifications to the filesystem (which then propagate changes to the underlying disk). To see what system calls a program use, you can use the strace program. For example, strace touch x gives me:

...
open("x", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3
dup2(3, 0)                              = 0
close(3)                                = 0
utimensat(0, NULL, NULL, 0)             = 0
...

Here you can see that the open system call is passed a path and returns a file descriptor. Later, this filedescriptor is used in a call to the utimensat system call which changes the file timestamp. All of these actions can be logged by the audit daemon described before and of course the results can be observed due to changes to the filesystem. If you dig deep enough, you may find evidence of this activity, but then you are really relying on the creativity of forensics.

Lekensteyn
  • 178,446
1

You could use AIDE, a host-based intrusion detection system (HIDS) for checking the integrity of files with signature. It is said to be able to store mtime, ctime and atime of each file. So your example is covered.

Of course, you might want to store the result of AIDE off-site so that nothing can be tempered with the result.

I am sure there is other HIDS that offer similar signature based feature: http://www.la-samhna.de/library/scanners.html

solsTiCe
  • 9,515
0

If somebody manages to get root access, they can do whatever they want, including removing all traces of their activity.

Sorry, but the only thing you can and must do is to protect your root/sudo password(s).

Byte Commander
  • 110,243