[lug] File Signature Monitoring and Encrypted File Systems

Zan Lynx zlynx at acm.org
Wed Aug 23 10:25:08 MDT 2017

On 08/22/2017 05:14 PM, George S. wrote:
> I'm going through my PCI DSS compliance checklist and one of the things
> I need to do is setup some file monitoring. Even though this is a
> "checklist" requirement, I really do want to come up with the best and
> most robust solution. Last summer we had an incident where someone tried
> some cute things to compromise one of our cloud customers. We really
> took a hard look at a lot of things then, and we're really interested in
> coming up with the best solution.
> Anyhow, I'm thinking I'll set it up file signature monitoring using
> Aide, and be pretty limited about what I'm checking. With any signature
> verification system, the rub becomes how do you protect your binaries
> that you're using to check your signature. I'm thinking that I would
> setup an encrypted file system and put the binaries and signatures on
> the encrypted file system. Unless I'm actively doing updates, I'll keep
> the encrypted fs mounted read-only.

Both Intel and AMD have announced support for encrypted RAM and disk in
virtualization solutions. The idea is that even if an attacker breaks
out of a VM they can't read anything except the VM they are in, because
other VM's and hypervisor RAM is all encrypted nonsense. You'd need one
of their fancy CPUs and I don't know what's available yet.

Even without that I think a VM is a good solution for you because you
can use tools outside the VM to monitor the VM disk image.

Running production systems can use read-only VM disks. Staging VM uses a
read-write disk to update. Then it is taken read-only and swapped in for
the production system.

Fancy storage systems can help force read-only as well. By storing
read-only disk images on a read-only LUN (usually a snapshot of the
read-write version) it adds more difficulty to making a persistent
attack. Attackers can still corrupt the in-memory software in the guest
VM, which is why scanning the RAM file cache is a good idea. Leading to...

I've heard of security researchers using customized VM software that
knows Linux and can monitor it from outside the VM by reading the guest
kernel's data structures and checksumming the guest kernel RAM in order
to watch for unknown zero-day attacks. I don't know of anything that's
easily available, but you might look for it.

And if the possibility that an attacker can compromise the hypervisor is
a threat, you can do what some do and periodically migrate all the
guests off a physical machine and reboot it to re-read it's hypervisor
software off of the verified good network storage.

                Knowledge is Power -- Power Corrupts
                        Study Hard -- Be Evil

More information about the LUG mailing list