[lug] File Signature Monitoring and Encrypted File Systems
georges at mhsoftware.com
Tue Aug 22 17:14:41 MDT 2017
I'm going through my PCI DSS compliance checklist and one of the things
I need to do is setup some file monitoring. Even though this is a
"checklist" requirement, I really do want to come up with the best and
most robust solution. Last summer we had an incident where someone tried
some cute things to compromise one of our cloud customers. We really
took a hard look at a lot of things then, and we're really interested in
coming up with the best solution.
Anyhow, I'm thinking I'll set it up file signature monitoring using
Aide, and be pretty limited about what I'm checking. With any signature
verification system, the rub becomes how do you protect your binaries
that you're using to check your signature. I'm thinking that I would
setup an encrypted file system and put the binaries and signatures on
the encrypted file system. Unless I'm actively doing updates, I'll keep
the encrypted fs mounted read-only.
Ideally, I'd like to have two keys for the encrypted file system. One
that can mount it read-only, and one that can mount it read-write. I'd
like the partition to be mounted read-only at boot time so that periodic
signature checks can happen. When I need to update the signatures, I'll
re-mount the partition read-write. I know that a deeply compromised
system can get around these constraints. My experience has been that
intruders usually aren't real subtle and that if I can monitor things
that are sensitive, I stand a pretty good shot of finding out something
is happening before it goes to far.
I've been reviewing the docs for LUKS and cryptsetup. I see that I can
have up to 8 keys for a device, but I'm not seeing anything that lets me
say the access level for this key is read-only. Is this possible?
Is there some magically better thing that I could do that would be
better than what I'm suggesting? One idea that came to mind was doing
the file signature checks from a remote system that's dedicated and
(theoretically) secured. I'm thinking perhaps using sshfs or something
I would be interested in hearing what everyone's thoughts are.
*MH Software, Inc.*
Voice: 303 438 9585
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LUG