Tools for identifying untrusted executables

Latest response

Greetings,

Are there any known good utilities out there, community or enterprise, that would work to identify any scripts, executables, applications installed on a system and running that are disallowed. We do have AIDE implemented, but something that can monitor and alert in real-time, and give as much granularity about what is running, etc ...

Much appreciated.

Responses

Bradley,

How do you plan to define 'disallowed', is this from a blacklist from the vendor? or you want to provide a list of binaries?

Are you after virus/malware scanning? or access control/enforcement/alerting?

I would recommend rkhunter or chkrootkit, but unfortunately both of them are getting a little dated and may not meet your requirement.

Thanks ... yes we are looking to satisfy a requirement for our system under NIST standards regardless of whether we agree or disagree. We basically are looking for ways, preferabling whitelist, and disallowing other applications or software to run etc ...

Have you explored selinux? The tools mentioned, while informative, are typically passive not active defences or deterrents.

A simple method of restricting users can be seen here. A complex selinux rule to limit access for a running process (stolen from here which would apply to rules to which the services running user (in this case dhcp) must adhere:

type dhcp, domain;
permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;

init_daemon_domain(dhcp)
net_domain(dhcp)

allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service
};
allow dhcp self:packet_socket create_socket_perms;
allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
allow dhcp system_prop:property_service set ;
unix_socket_connect(dhcp, property, init)

type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;

allow dhcp netd:fd use;
allow dhcp netd:fifo_file rw_file_perms;
allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket
netlink_nflog_socket } { read write };

That's what I'm thinking we will ultimately have to use. These are great examples and very helpful ... Is there some repository of selinux modules used on various systems that correlate to a fisma rating or other InfoSec standard?

The exact issue we have (which I agree is vague): "There was no proof provided that validated the use of automated mechanisms on the system to prevent the execution of unauthorized software programs."

SELinux will take us some time (we have 5,000 servers and workstations across a widely disparate geographical and technical network). I'm kinda looking for a simple intermediate solution while we plan for a larger SELinux implementation as we run custom software with 2.9m SLOC.

I don't think there are any pre-built modules for implementation of the FISMA standards for SELinux (at least none that I know of), but it would be nice as the FIPS 199, FIPS 200, 800-53, 800-59, and 800-60, 800-37, 800-39, and 800-53A are beasts. Ensuring accuracy is a large undertaking for even a smaller amount of systems.

Another option would be to utilize auditd rules (not tested and would probably require tuning for your env.) which would offer some active defence of executing and modifying configurations. This method is a bit simpler because you don't need to compile and test rules prior to implementation. A simple restart of the auditd service facilitates updates to the audit.rules directives.

Use of the RHEL security guide and/or the IASE STIG guides for OS &/or services is also an additional layer of defence.

Thanks ^Gerfen for the additional comments and suggestions!

These do whitelisting across multiple OS' including RHEL:

Samhain is GPL'ed
http://la-samhna.de/samhain/index.html

McAfee Application Control (formerly SolidCore) is pay-for but has a free trial (disclosure: I work there.)
http://www.mcafee.com/us/products/application-control.aspx

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.