Host Integrity Monitoring Using Osiris and Samhain
A survival guide for the future of computing, this book provides the information necessary to understand the what, why, and how of host integrity monitoring.
TABLE OF CONTENTS Host Integrity Monitoring Using Osiris and Samhain
Chapter 9: Advanced Strategies
Introduction
This chapter contains strategies for the successful deployment of Osiris and Samhain. You do not have to utilize all of this material to be successful; however, it is helpful because it was gathered from personal experience, and from feedback from both Osiris and Samhain users. Both of these systems are very effective at monitoring the integrity of host environments, and each has their own strong points. The following sections use some of those strong points to explore Set User ID (SUID) and Set Group ID (SGID) audits, and to look for rogue executables, perform checks on a deployment, and handle the cumbersome effects of prebinding and prelinking of executables.
Performing SUID/SGID Security Audits
SUID and SGID executables require a great deal of scrutiny and caution. Poorly written software is dangerous to host integrity; poorly written software with elevated privileges is worse. Do not trust that the developers of SUID executables took steps to protect the application from being exploited (including the applications that ship with the operating system). Also, do not trust that the default file permissions limit access to these types of executables. Staying on top of SUID and SGID executables is an administrative effort that requires research and careful inspection of the systems being managed. Osiris and Samhain can help with only part of that effort. Specifically, they can look for and report on changes that involve SUID and SGID executables. You can obtain a quick listing of the SUID and SGID executables by running the following...
Copyright Syngress Publishing, Inc. 2005 under license agreement with Books24x7
