In addition to reading and perhaps changin data stored on your machine, an intruder may attempt to hide there work from you by altering the behaviour of utilities such as df, du, ls, ps, netstat... This can be done by replacing the excutables/utilities themselves, or libraries (.sos) they use, or even altering the system-calls used.
File system integrity (i.e., unwanted alterations to executables and libraries) can be monitored by using MD5 checksums of files and/or using Tripwire or a similar utility. Alteration of system-calls (of the kernel --- or more likely kernel-modules) is a different kettle of fish entiresly, but tools are available to detect this also --- see the next section.
Tripwire (below) is a powerful too, but can be a lot of work to configure and use. An alternative is simply to write or use a simple script to check the integrity of important files (and to do this regularly).
Relying on the size and/or datestamp of a file is not enough --- these can be "faked". A much more reliable method is to determine the current MD5 checksum of a file and compare it to the value when the file was known to be clean (e.g., immediately after installation of the OS).
Linux comes with /usr/bin/md5sum which can be used for this; alternatively, use the Perl module Digest::MD5. There are several freely-available utilties which use MD5 checksums to ensure file integrity including AIDE (Advanced Intrusion Detection Environment) and Cheesewire.
Let me quote from the RPM: Tripwire answers the fundamental question: "Is my system the same today as it was yesterday?" Tripwire creates a cryptographically-secured database of files and their characteristics based on the specifications of your configurable policy file. This database is then used to determine if any unauthorized changes have been made to your system.
A report of changes to individual files is periodically emailed to the system administrator.
There are both commercial and open-source (freely downloadable) versions of Tripwire in existence. The open source versions may be downloaded from www.tripwire.org. For Linux, binary RPMS are available; for Solaris one must compile and link the source code.
Configuration of Tripwire is not as simple as it might be --- it is very easy to get many false-positives. However, in the near future, ISD may be able to supply a Perl script which will help with this process.
Install the RPM; edit /etc/tripwire/twpol.txt as appropriate; run /etc/tripwire/tripwire.sh; run tripwire --init. (Remove /etc/tripwire/twpol.txt).
If you wish to subsequently change the policy, edit /etc/tripwire/twpol.txt; run twadin --create-polfile twpol.txt to create the encrypted version of the policy; then run tripwire --init.
Tripwire should be configured to send its output to a remote machine to minimise the risk of an intruder tampering with its reports. Tripwire sends its reports to stdout, so simply configure Cron to send its output to a remote machine.
| ...previous | up (conts) | next... |