File Integrity Monitoring for Windows and Linux. A Short List of Vulnerable Files

08.Mar.2016

Network security

Security teams won’t be using file integrity monitoring (FIM) as their first line of defence for network protection. Tools like daily vulnerability audits and twice-yearly penetration testing will be the main border control assets that you employ. But just like a country can find it has leaky borders, it’s good practice to make sure that your IT assets don’t have any blackhat activities lurking within your network. And one of the final ways of checking every neighbourhood in your network is FIM.

File Integrity Monitoring is a delicate balancing act

f course the problem is that you will have millions of files on the network, and the vast majority of them are being changed regularly for legitimate purposes. So where should you focus your efforts to find the telltale signs of an attack?
The security experts at SecludIt have drawn up a shortlist of the most important files for you to monitor on Windows and Linux Operating systems. But it’s hard to get the sweet spot with FIM:

Monitor too many files and your efforts will result in a lot of false positives, plus the number of files to monitor could become impractical.
Monitor too few files and you could miss the evidence of an attack taking place.

Here’s the insights from SecludIT, separated into Windows and Linux networks.

Windows Networks. The most important files to monitor (or exclude)

Windows. Files to INCLUDE in FIM:

The following files in C:\:
– autoexec.bat
– boot.ini
– config.sys
– io.sys
– msdos.sys
– ntbootdd.sys
– ntdetect.sys
– ntldr
The following folders (no files and subfolders):
– C:\Documents and Settings
– C:\Users
– C:\System Volume Information
The following folders (including files and subfolders) in C:\:
– ProgramFiles
– ProgramFiles(x86)
All files and folders under C:\WINDOWS, and in particular the following folders (no files and subfolders):
– assembly
– CSC
– DEBUG
– security
– system32\NtmsData
– Temp

Windows. Files to EXCLUDE from FIM:

Folders in “C:\WINDOWS” listed below, which basically contain log files (the reason is explained below), cache files and other unimportant files:
– NtServicePackUninstall
– NtUninstall
– assembly
– CSC
– DEBUG
– HELP
– I386
– LogFiles
– Minidump
– Prefetch
– Shelliconcache
– SoftwareDistribution
– system32\Catroot
– system32\LogFiles
– system32\NtmsData
– system32\winevt\Logs
– System32\wdi\LogFiles
– system32\wbem
– Temp
– winsxs
– rescache
– serviceprofiles\networkservice\appdata\local\temp

Windows update. SecludIT is developing a FIM for Log Files technology

Log files should be monitored in order to make sure that no unauthorized changes have been made. Unfortunately, standard file integrity monitoring tools do not cope well with log files since, by nature, they are subject to frequent changes.

In particular, if a log file has been modified, then a standard FIM tool is not able to distinguish an unauthorized behavior from a normal one. It is not able to detect whether a log file has been tampered with (e.g. some lines have been removed in order to cover an attack) or not (e.g. some lines have been appended).

SecludIT is currently working on File Integrity Monitoring specifically for log files. When launched, our FIM technology for Log Files will monitor the integrity of log files without affecting the performance of production servers.

Linux Networks. The most important files to monitor (or exclude)

Linux. Files to INCLUDE in FIM:

Root folder:
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /bin
– /sbin
– /usr/sbin
– /usr/bin.
– /usr/local/bin
– /usr/local/sbin
– /opt/bin
– /opt/sbin
– /lib
– /usr/lib
– /usr/local/lib
– /lib64
– /usr/lib64
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf

Linux. Files to EXCLUDE from FIM:

– Exclude log files (e.g. /var/log) – see Linux update below.
– Exclude cache files

Keeping your network secure with a daily vulnerability audit

Although it is important as the last line of defense, File Integrity Monitoring can be time consuming and complex.

An efficient first line of defense is the Elastic Detector application from SecludIT. Elastic Detector as an automated way to check your network for vulnerabilities every day. We add an average of 20 new vulnerabilities daily to our threat list, which minimizes the window of opportunity for hackers.

Highlights of our Elastic Detector program are:

It works on clones of servers, so network performance is not degraded.
The list of security threats is updated on a daily basis, with prioritized reporting.
SecludIT provides remediation sheets and fix tips. So even non security specialists can implement fixes.