| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Logging course: Integrity monitoring |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
Introduction to file and system integrity monitoring in logging course |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
So you wanna protect the integrity of your files and perhaps the whole system?
Several options besides simple FIMs.
Let's talk about some of them!
Storage or runtime detection/protection?
Protection/Flexibility of configuration?
Overlap with other software/security products?
Platform support?
- Tripwire Open Source
- Samhain
OSSECWazuh- osquery
- auditd
- Auditbeat
Knowing which files to include on the FIM watch-list can be tricky.
Disk/File system snapshots can be useful alternative/complement.
The state of systems change over time as applications gets installed/updated and administrators modify configuration.
Properly managing a FIM database can be very time-consuming, making investigation and recovery after an incident challenging.
Usage of immutable systems, such as Docker containers, can greatly reduce the burden (especially when combined with a read-only file system configuration).
How can we trust the FIM if the system has been compromised?
Let's talk a bit about boot and runtime integrity protection.
Not just a thing to make neckbeards mad!
Utilizes cryptographic signatures during the computer's boot process to prevent execution of untrusted firmware and operating systems.
Most systems ship with a trust store managed by Microsoft, some support configuration of custom keys/CAs.
"Measured boot" is its upcoming sibling, focusing on logging/hashing executed code.
Integrity Measurement Architecture.
Monitors execution of programs and performs hashing of their content ("measurement") before execution.
Can be used to verify runtime integrity and notify administrators if unexpected applications are run.
Trusted Platform Module.
Common hardware chip (or CPU feature) capable of storing secrets and performing basic cryptographic operations.
Hash-chaining is used to store measurements in Platform Configuration Register.
The TPM can be configured to unlock a secret, such as a disk encryption key, when a PCR contains specific value/measurement, as a boot/runtime integrity check.
Even better: produce an attestation report!
If you think this sounds cool/useful, checkout Keylime and the "System Transparency" project.
You can also check out Joel's talk from SEC-T, which is available on YouTube.
Integrity protection ain't just about basic FIMs.
Usage of immutable systems surely simplifies monitoring of state changes.
TPM + Measured boot + IMA ~= <3
