Backup Scripts, the FIM of the Poor, (Wed, Jul 12th)

File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. Example with a UNIX environment:

  • Binaries libraries in /usr/lib, /usr/bin, /bin, /sbin, /usr/local/bin, …
  • Configuration files in /etc
  • Devices files in /dev

Depending on the applications running on the server, we can also expect that static HTML content wont change often. The deployment of a file integrity management solution has always a cost, even if some solutionsareavailable for free like OSSEC[1].

Basically, to perform file integrity checks, the tool of your choice will read all the files from the file system, check if the content changed, then generate an event if the file has been altered. Wait, do we already have tools that do pretty much the same? Backup scripts of course! To perform differential backups, they also have to scan the complete file system for changes. What not use the output generated by those scripts to detect suspiciouschanges?

Plenty of backup scripts for UNIX relies on rsync[2] which is an amazing tool with interestingoptions. The verbosity is extremely modular. Of course, it candisplay the list of all files that have been added to the backup(read: that have been changed) but it can also output the file hashes by reformating the output format with %C padding:5px 10px”>
# rsync –checksum –out-format=%n %C …

Note: this option is not available on all rsync version, check yours.

Based onthis rsync output, you can search for suspicious changes in sensitive directories like /etc (Why did your /etc/passwd change since the last backup?) or lookup the MD5 hashes of altered binaries against VT or any other database of IOCs. Keep this in mind!

[1]http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/
[2]https://rsync.samba.org/

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.