File Integrity Assessment via SSH Article - Sysadmin Article
Hal Pomeranz has an interesting article on File Integrity Assessment via SSH over at sysadmin magazine (well worth a subscription). At my last job a couple of us discussed doing something similar so I enjoyed the article; it’s nice to see someone actually implement the damn thing.
The basic idea addresses one of the implicit weaknesses with FIA tools. You give the attacker an obvious target to try and subvert. While there are little tricks you can employ to make their life harder (add a false positive so if they replace the binary with a fake it doesn’t report everything you’d expect etc.) Hals technique moves the whole FIA setup off the machine. You only copy the FIA tools in when you’re going to run the scan. This won’t stop kernel level hacks written just for screwing with FIA but it does raise the bar a fair bit.
One of my suggested tweaks for this would be to replace the null passphrase root SSH. Firstly I dislike allowing root to SSH to a machine. Secondly, keys with no passphrase are often a bad thing. While SSH agent can make them better, a non-privileged account, sudo and the NOPASSWD option are often a better choice.
The config in ‘/etc/sudoers’ will make it easier for a competent attacker to work out what’s going on (although to make life harder you can still rename commands as mentioned in the article) but this is better than allowing such a dangerous entry point to all your systems.