Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Hand in hand with a rootkit checker such as Chkrootkit goes filesystem integrity software. Filesystem integrity software monitors important files on the computer and generates reports based on changes to those files. The administrator can then watch for unexpected changes to the files in question. For example, if files such as /etc/resolv.conf or even /etc/shadow change with no apparent reason, the administrator can take action. Two popular filesystem integrity tools are Tripwire and AIDE. Tripwire had been the choice among administrators for a long time. However, Tripwire's license changed, thus making commercial uses of the software questionable and even making the open-source nature of the software questionable. AIDE was developed as an alternative. In the meantime, the Tripwire license changed back, so as of this writing Tripwire is again a traditional open-source package. However, I'm not going to cover Tripwire in this book due to the license changes. I don't want to have the license change yet again between the time I write this and the time you read it. AIDE is covered in detail, and a more complete description of how filesystem integrity works is given, in Chapter 12, "Filesystem Integrity." |
Категории