Tools for identifying untrusted executables
Greetings,
Are there any known good utilities out there, community or enterprise, that would work to identify any scripts, executables, applications installed on a system and running that are disallowed. We do have AIDE implemented, but something that can monitor and alert in real-time, and give as much granularity about what is running, etc ...
Much appreciated.
Responses
Bradley,
How do you plan to define 'disallowed', is this from a blacklist from the vendor? or you want to provide a list of binaries?
Are you after virus/malware scanning? or access control/enforcement/alerting?
I would recommend rkhunter or chkrootkit, but unfortunately both of them are getting a little dated and may not meet your requirement.
Have you explored selinux? The tools mentioned, while informative, are typically passive not active defences or deterrents.
A simple method of restricting users can be seen here. A complex selinux rule to limit access for a running process (stolen from here which would apply to rules to which the services running user (in this case dhcp) must adhere:
type dhcp, domain;
permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
init_daemon_domain(dhcp)
net_domain(dhcp)
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service
};
allow dhcp self:packet_socket create_socket_perms;
allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
allow dhcp system_prop:property_service set ;
unix_socket_connect(dhcp, property, init)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
allow dhcp netd:fd use;
allow dhcp netd:fifo_file rw_file_perms;
allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket
netlink_nflog_socket } { read write };
I don't think there are any pre-built modules for implementation of the FISMA standards for SELinux (at least none that I know of), but it would be nice as the FIPS 199, FIPS 200, 800-53, 800-59, and 800-60, 800-37, 800-39, and 800-53A are beasts. Ensuring accuracy is a large undertaking for even a smaller amount of systems.
Another option would be to utilize auditd rules (not tested and would probably require tuning for your env.) which would offer some active defence of executing and modifying configurations. This method is a bit simpler because you don't need to compile and test rules prior to implementation. A simple restart of the auditd service facilitates updates to the audit.rules directives.
Use of the RHEL security guide and/or the IASE STIG guides for OS &/or services is also an additional layer of defence.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
