Mr. Robot got at least one thing right with that “DAT” file: Files are at the root of all things security in Linux. While file integrity monitoring is an aspect of Windows security, it’s absolutely critical to Linux and Unix security.
Windows hides much of its configuration in the registry behind tightly controlled Win32 API. But in Linux, the configuration is much more exposed and out there for direct access. In addition, many resources in Linux are presented as part of the file system. And of course, the programs you run on both Windows and Linux are files in the form of binary executables or scripts. Modifying or replacing these files allows attackers to implant malicious and arbitrary instructions to be executed unwittingly.
So, file integrity monitoring is one of the first things you need to ensure is done right when it comes to securing Linux and detecting attacks. But which files and directories do you need to monitor? Some folks will say “everything” -- and that’s a nice goal but not practical, especially if you are still maturing your file integrity monitoring efforts.
In this real training for free webinar I will show you:
- Where key configuration and other security sensitive files are stored in Linux
- Where important binaries and scripts reside that should be monitored for modification or replacement
Some of the areas we’ll discuss include:
- Where Linux stores bootup options that attackers use to gain persistence
- Crafty shell and utility configuration files where crafty attackers have discovered opportunities for bypassing security controls
- Cron configuration (like Scheduled Tasks in Windows) where attackers can gain persistence or potentially trigger malicious code to run in privileged access
- Where credentials and group membership are stored
- Where IP addresses can be overridden to imposter hosts
- Where network restrictions are defined
- Logon controls
- Where bogus authentication modules can be inserted
To make sure this is really practical we will discuss when you can expect different files and folders to be modified for legitimate reasons, tips for detecting malicious changes, and how to reduce noise by excluding files like log files which are always changing.
This will be a very technical and hands-on webinar that gets into specifics. So please join us.
Paul Harper from BeyondTrust, our sponsor, will briefly demonstrate how PowerBroker for Unix & Linux monitors sensitive files in real time so that you are proactively notified of suspect activities that may be related to privilege misuse or malware including file modification or encryption.