1

I was exploring possibilities with Touch command, while I forged following situation in my mind.

  1. Suppose there are two admin's or super users (User A and User B) of a Machine/Server.

  2. UserB is performing malicious activities, in this case let us consider User B is modifying file signatures using touch command.

Questions

  1. How can User A identify these modifications?

  2. If there is only one admin and his system is compromised. How is it possible for admin to detect the malicious activities.

One possible approach to detect such intrusion is to check system logs, but what if the intruder/attacker has somehow modified system logs.

muru
  • 197,895
  • 55
  • 485
  • 740
Chinmaya B
  • 6,122
  • 7
  • 24
  • 43

3 Answers3

2

You can try to use auditd for logging access to files (and more), but if an attacker gains access to your machine as superuser, then it is possible that all logs and traces are wiped without any way to detect it.

One possible mitigation is to enable remote logging (over the network) or use some other hardware that allows to append data only without the ability to overwrite stuff.

If you suspect a compromise and want to investigate it, you are entering the area of forensics. Depending on the sloppiness of the attacker this may succeed or fail. Examples include forgetting to remove a .bash_history or log files and deleting files without shredding it.

You mention "file signature", but "touch" only modifies the metadata of the file. These are stored in a filesystem-specific format on the underlying disk device. Usually unprivileged programs cannot directly modify the underlying disk device. Instead they communicate with the kernel using system calls and request modifications to the filesystem (which then propagate changes to the underlying disk). To see what system calls a program use, you can use the strace program. For example, strace touch x gives me:

...
open("x", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3
dup2(3, 0)                              = 0
close(3)                                = 0
utimensat(0, NULL, NULL, 0)             = 0
...

Here you can see that the open system call is passed a path and returns a file descriptor. Later, this filedescriptor is used in a call to the utimensat system call which changes the file timestamp. All of these actions can be logged by the audit daemon described before and of course the results can be observed due to changes to the filesystem. If you dig deep enough, you may find evidence of this activity, but then you are really relying on the creativity of forensics.

Lekensteyn
  • 174,277
  • How many copies of Bash history are stored , for e.g. If a normal user modifies file signature by touch command how do we detect it? So far I am totally unsuccessful in recovering deleted files (http://askubuntu.com/questions/676242/how-to-recover-deleted-files-in-ubuntu-using-live-usb-based-on-filetype) I have also tried NTFSundelete and ext4undelete – Chinmaya B Sep 19 '16 at 19:59
  • @ChinmayaB Typically only one copy of the Bash history file because the shell appends data to this file. If a normal user uses the touch command, then no new file is created, only the metadata is modified so "undelete" is not possibly. To better understand why touch is (not) detectable, you must understand what the touch command does (see updated answer for that). – Lekensteyn Sep 19 '16 at 20:10
  • You proved in the answer that Touch is detectable good answer!. btw What's the problem with relying on creativity of forensics? "but then you are really relying on the creativity of forensics" – Chinmaya B Sep 19 '16 at 20:13
  • @ChinmayaB Forensics requires skills and creativity. You are basically relying on unusual properties that you normally do not use (for example, directly reading the data from the disk device, using properties of filesystem (journaling, copy-on-write), incidental backups before the wipe, etc.). – Lekensteyn Sep 19 '16 at 20:43
1

You could use AIDE, a host-based intrusion detection system (HIDS) for checking the integrity of files with signature. It is said to be able to store mtime, ctime and atime of each file. So your example is covered.

Of course, you might want to store the result of AIDE off-site so that nothing can be tempered with the result.

I am sure there is other HIDS that offer similar signature based feature: http://www.la-samhna.de/library/scanners.html

solsTiCe
  • 9,231
0

If somebody manages to get root access, they can do whatever they want, including removing all traces of their activity.

Sorry, but the only thing you can and must do is to protect your root/sudo password(s).

Byte Commander
  • 107,489
  • What if some user of my sever machine is modifying file signatures. He will clear the command logs. Where are the command logs stored? – Chinmaya B Sep 19 '16 at 19:52
  • I don't know what exactly you mean by "file signatures", but where which commands are logged depends on many things. If your shell is Bash, it will append the executed commands to a file called .bash_history in the current user's home directory, but there are many ways to prevent this from happening. – Byte Commander Sep 19 '16 at 19:57
  • File Signatures is the date & time of creation, last modified, permissions like properties of file. So even if a normal user deletes bash_history we cannot detect commands executed by the user right? – Chinmaya B Sep 19 '16 at 20:02
  • 1
    If it's only a normal user without sudo privileges, there should be ways to set up your system so that you won't lose command logs. But if the user you want to observe manages to get root rights, they can disable all your stuff and hide their traces. – Byte Commander Sep 19 '16 at 20:08