[lug] File Signature Monitoring and Encrypted File Systems

George S. georges at mhsoftware.com
Tue Aug 22 17:14:41 MDT 2017

I'm going through my PCI DSS compliance checklist and one of the things 
I need to do is setup some file monitoring. Even though this is a 
"checklist" requirement, I really do want to come up with the best and 
most robust solution. Last summer we had an incident where someone tried 
some cute things to compromise one of our cloud customers. We really 
took a hard look at a lot of things then, and we're really interested in 
coming up with the best solution.

Anyhow, I'm thinking I'll set it up file signature monitoring using 
Aide, and be pretty limited about what I'm checking. With any signature 
verification system, the rub becomes how do you protect your binaries 
that you're using to check your signature. I'm thinking that I would 
setup an encrypted file system and put the binaries and signatures on 
the encrypted file system. Unless I'm actively doing updates, I'll keep 
the encrypted fs mounted read-only.

Ideally, I'd like to have two keys for the encrypted file system. One 
that can mount it read-only, and one that can mount it read-write. I'd 
like the partition to be mounted read-only at boot time so that periodic 
signature checks can happen. When I need to update the signatures, I'll 
re-mount the partition read-write. I know that a deeply compromised 
system can get around these constraints. My experience has been that 
intruders usually aren't real subtle and that if I can monitor things 
that are sensitive, I stand a pretty good shot of finding out something 
is happening before it goes to far.

I've been reviewing the docs for LUKS and cryptsetup. I see that I can 
have up to 8 keys for a device, but I'm not seeing anything that lets me 
say the access level for this key is read-only. Is this possible?

Is there some magically better thing that I could do that would be 
better than what I'm suggesting? One idea that came to mind was doing 
the file signature checks from a remote system that's dedicated and 
(theoretically) secured. I'm thinking perhaps using sshfs or something 
like that.

I would be interested in hearing what everyone's thoughts are.

George S.
*MH Software, Inc.*
Voice: 303 438 9585
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170822/3f415255/attachment.html>

More information about the LUG mailing list