File Integrity Monitoring for Windows and Linux. A Short List of Vulnerable Files
File Integrity Monitoring is a delicate balancing act
f course the problem is that you will have millions of files on the network, and the vast majority of them are being changed regularly for legitimate purposes. So where should you focus your efforts to find the telltale signs of an attack?
The security experts at SecludIt have drawn up a shortlist of the most important files for you to monitor on Windows and Linux Operating systems. But it’s hard to get the sweet spot with FIM:
- Monitor too many files and your efforts will result in a lot of false positives, plus the number of files to monitor could become impractical.
- Monitor too few files and you could miss the evidence of an attack taking place.
Here’s the insights from SecludIT, separated into Windows and Linux networks.
Windows Networks. The most important files to monitor (or exclude)
Windows. Files to INCLUDE in FIM:
The following files in C:\:
– autoexec.bat
– boot.ini
– config.sys
– io.sys
– msdos.sys
– ntbootdd.sys
– ntdetect.sys
– ntldr
The following folders (no files and subfolders):
– C:\Documents and Settings
– C:\Users
– C:\System Volume Information
The following folders (including files and subfolders) in C:\:
– ProgramFiles
– ProgramFiles(x86)
All files and folders under C:\WINDOWS, and in particular the following folders (no files and subfolders):
– assembly
– CSC
– DEBUG
– security
– system32\NtmsData
– Temp
Windows. Files to EXCLUDE from FIM:
Folders in “C:\WINDOWS” listed below, which basically contain log files (the reason is explained below), cache files and other unimportant files:
– NtServicePackUninstall
– NtUninstall
– assembly
– CSC
– DEBUG
– HELP
– I386
– LogFiles
– Minidump
– Prefetch
– Shelliconcache
– SoftwareDistribution
– system32\Catroot
– system32\LogFiles
– system32\NtmsData
– system32\winevt\Logs
– System32\wdi\LogFiles
– system32\wbem
– Temp
– winsxs
– rescache
– serviceprofiles\networkservice\appdata\local\temp
Windows update. SecludIT is developing a FIM for Log Files technology
Log files should be monitored in order to make sure that no unauthorized changes have been made. Unfortunately, standard file integrity monitoring tools do not cope well with log files since, by nature, they are subject to frequent changes.
In particular, if a log file has been modified, then a standard FIM tool is not able to distinguish an unauthorized behavior from a normal one. It is not able to detect whether a log file has been tampered with (e.g. some lines have been removed in order to cover an attack) or not (e.g. some lines have been appended).
SecludIT is currently working on File Integrity Monitoring specifically for log files. When launched, our FIM technology for Log Files will monitor the integrity of log files without affecting the performance of production servers.
Linux Networks. The most important files to monitor (or exclude)
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /bin
– /sbin
– /usr/sbin
– /usr/bin.
– /usr/local/bin
– /usr/local/sbin
– /opt/bin
– /opt/sbin
– /lib
– /usr/lib
– /usr/local/lib
– /lib64
– /usr/lib64
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf
Linux. Files to EXCLUDE from FIM:
– Exclude log files (e.g. /var/log) – see Linux update below.
– Exclude cache files
Keeping your network secure with a daily vulnerability audit
An efficient first line of defense is the Elastic Detector application from SecludIT. Elastic Detector as an automated way to check your network for vulnerabilities every day. We add an average of 20 new vulnerabilities daily to our threat list, which minimizes the window of opportunity for hackers.
- It works on clones of servers, so network performance is not degraded.
- The list of security threats is updated on a daily basis, with prioritized reporting.
- SecludIT provides remediation sheets and fix tips. So even non security specialists can implement fixes.