Shell ensuring system integrity with limitations

T

tOsYZYny

For a while, I've had the idea to implement an integrity / file-checksumming function for my work computer (Windows).

The problem is that our cybersecurity team may push updates whenever and we won't know until something doesn't work or other developers complain. I wish they would inform us what it may impact or at least if they're doing something as I've spent countless days thinking the problem was my configuration only to find that I had to reinstall Intellij or Java because the old version I was using was no longer "secure". The funny thing is that the whole program wouldn't be removed, it would be seemingly enough to make it look like it were still fully installed and functional, but some critical file wasn't there, so it wouldn't run properly.

That said, I don't have the capability to install aide and that would make my life quite a bit easier, so I was thinking that I would merely do something similar. For the software that is critical for me, intellij, java, vscode, I would find all the files and then checksum them and store them in a file somewhere.

Then, overnight, I would run the same process again to monitor if the files were still there and if they changed. This I am hoping would provide an early warning to me to say, at the first sign of a problem such as the project won't run or build, rather than try to rebuild the project, just reinstall Intellij.

I can run the sha suite of tools from git bash, so I am thinking I will make use of that to hash files and merely a collection of shell scripts to glue all of that together.

I don't have admin privileges to my system, nor do I have any experience with Windows Defender which seems to do some basic file integrity monitoring. Is this a bad idea, if so, is there another way I can achieve the same thing with much less effort? I tried reaching out to cybersecurity, but you'd think they were doing something top secret. Or at least, you'd think they'd think I were a spy trying to defeat their system. I also think that given the complexity of this that I'd have to limit the scope to just Intellij and Java, otherwise, I'd have many false positives.
 
That's of limited use since people could manipulate the checksumming tool, a shared library it uses or the database when you store the expected checksums.
 
True, but I doubt they would do that, but perhaps more than likely, what would happen is that itself becomes corrupt and no longer functions or every file is marked as different rendering it useless?
 
tOsYZYny said:
True, but I doubt they would do that, but perhaps more than likely, what would happen is that itself becomes corrupt and no longer functions or every file is marked as different rendering it useless?
Click to expand...

This is tricky to get right under the best of circumstances if you take (intended) updates into account.

Signed binaries are generally more straightforward. That doesn't do data files, but with a signed checksum tool you can at least get a checksum for a data file with more confidence.

Of course there is rope to hang yourself. If you signing tool becomes unsigned for example.
 
Yes, the later does have me partially concerned - while recovery from that scenario may be easy, detection may not and then one is back where one started. If nothing else, it is for my amusement.
 
Phishfry said:
I use security/tripwire on my firewall. It seems to do much of what you are thinking.

Click to expand...
Yeah, but the challenge is that this is a work computer and I have no admin rights. Neither of these tools are available for me to install. The lowest common denominator is md5sum, sha256sum, etc.

That is the challenge.

I am essentially trying to do what should be provided by our desktop engineering team, to ensure our equipment works as expected with minimal disruption.
 
You guys do realize that mtree is a thing? An intrusion detection system build right into the base system itself (!) and thus available to ... well.. everyone?

I do apologize a bit because my gf & me almost did an all nighter Minecraft session (almost.. I guess we're getting old, lol!). Point being, not sober, not gonna type: I'll just check my past posts and ... after a silly wrong filter in offtopic... I got it =>

ShelLuser

Thread '(small) Guide on using mtree'

Hi gang,

What is mtree?

mtree(8) is a utility included in the base system (/usr/sbin/mtree) and can be used to compare two directory structures thus allowing you to spot any kind of difference. By default it does this by comparing file size (in bytes) and type, last modification time, file owner, group owner, the permissions as a numeric value, any optional flags (see ls -lo, and also chflags(1)) and finally any optional soft or hard links the file might have.

But there's a whole lot more you can do here.

Why I'm writing this guide (short...
  • Thanks

Now.... Sorry, but there is a reason why I liked Phisfry's comment up there! MTree is a solid solution (seriously!) but it sure aint' Tripwire => (edit): check this out!

Hope you guys can put this to some good use... I need some sleep :)
 
Either tripwire or aide are your best bets. The issue is that your change management process needs a way to communicate anticipated file changes to your security officer. Organizations I've worked for never figured this out. 85% of monitoring file changes with tripwire or a tool like it are human process. The last 15% is using the tool to monitor the changes.

Regarding tripwire vs any other tool, tripwire signs its database. Aide and other tools like it don't. An intruder could alter some files and rebuild the database before you know it. Whereas tripwire requires you enter your passphrase before it writes a new database.

You could do the same with another tool using gpg to sign the database but the window of opportunity, a race, would be larger.
 
cy@ said:
Either tripwire or aide are your best bets. The issue is that your change management process needs a way to communicate anticipated file changes to your security officer. Organizations I've worked for never figured this out. 85% of monitoring file changes with tripwire or a tool like it are human process. The last 15% is using the tool to monitor the changes.
Click to expand...
For my first Internet facing exposure, 30 odd years ago, there was a brand new firewall (Gauntlet on a FreeBSD system) and no small amount off paranoia.

We deployed Tripwire on a SPACstation 10, running an Internet facing web server (Netscape). The tripwire checksum database was kept on a 3.5" floppy disk which was pyhsically write-disabled.

It was a punishing relentless task to understand why file checksums changed, what should be allowed to change, to ignore false alerts, and to re-generate and publish the checksum database. So, yes, you have to nail the change management, and we never did...
 
What if you put your checksums database somewhere on a network and make it accessible to you only (via some kind of authentication). This probably reduces a chance of compromising the database.
 
As I see from the OP's first post, it is a work machine running Windows. It might be a VM but I suppose there is no access to it from the outside. So, it's just a plain Windows machine. Running "git bush"... this is definitely I did all the time after installing git on a Windows box. Again, no a sign about a VM that can be accessed outside.
But wait, anyway, I don't know for sure, and I'm not going to argue about that :). Just some thought I wanted to throw out.
 
I am 10 years removed from Windows but I seem to remember a nagging feature.

SFC - Sytem File Checker. When you tried to slipstream a file onto the system it would tell.. Those are the tools on that OS.

Still needs ADMIN rights I bet.
 
Yes and SFC probably only versioning tool not checksumming.

Regardless the user wants to lock in program versions on a presumed Windows computer. Checksumming not exactly relevant for that.

Portable Apps on USB can be locked out so web apps is your likely best option if you have unfettered access to the interwebs.
 
Yes, so I basically did this, I wrote a wrapper around sha256sum and implement plugins or extensions that define different sets of files to monitor, then it finds all of the files for that given plugin / extension and runs sha256 for those files, sorts the output by the filename and stores that in a git repo. It runs nightly (poor man's cron on windows / git bash using sleep).

Right now, the only extension I implemented was for Intellij because that is the one that I use the most and it is really bothersome when it doesn't work.

As the file database is updated, I may look at the history and use a tool like meld to see what changed. I was hoping to implement notifications, but haven't gotten around to that yet.

Again, yes, if this were my system, I'd be running it on top of ZFS and voila, rollback, but this is beyond my control. I just want to use it as an early warning system to say, yes, it's not me, it's you (Seinfeld Pun). In this case, even if it is our security team or whomever, it doesn't matter. At the end of the day, something I use ends up broken and I'd like to just confirm that it is at least different than when it was last known working ...

Additionally, I use tags to mark a particular snapshot as working and do that independently of the contents. Ideally, I would be prompted to validate anytime there is a change so I could better pinpoint problems.
 
You must log in or register to reply here.
Back
Top