A.21 Chapter 20: Integrity Management

  • If your system supports immutable and append-only files, use them. If you don't have them, consider asking your vendor when they will be supported in your version of Unix.

  • If possible, mount disks read-only if they contain system software. Ideally, use hardware write protection.

  • Make a checklist listing the size, modification time, and permissions of every program on your system. You may wish to include cryptographic checksums in the lists. Keep copies of this checklist on removable or write-once media and use them to determine if any of your system files or programs have been modified.

  • Write a daily check script to check for unauthorized changes to files and system directories.

  • Double-check the protection attributes on system command and datafiles, on their directories, and on all ancestor directories.

  • Consider making all files on NFS-exported disks owned by user root.

  • If you have backups of critical directories, you can use comparison checking to detect unauthorized modifications. Be careful to protect your backup copies and comparison programs from potential attackers.

  • Consider running rdist from a protected system on a regular basis to report changes.

  • Make an offline list of every SUID and SGID file on your system.

  • Consider installing something to check message digests of files (e.g., Tripwire or AIDE). Be certain that the program and all its datafiles are stored on read-only media or protected with encryption (or both).

  • If a system has been compromised, assume that it is thoroughly compromised, and that nothing is trustworthy.

    Part VI: Appendixes