+++ /dev/null
-%%
-%%
-
-% TODO: this chapter name is confusing ... maybe rename to
-% TODO: "File Integrity Checking with Bacula"?
-\chapter{Using Bacula to Improve Computer Security}
-\label{VerifyChapter}
-\index[general]{Security!Using Bacula to Improve Computer }
-\index[general]{Using Bacula to Improve Computer Security }
-
-% TODO: only those two digest algorithms?
-% TODO: can it use multiple at a time? (record and use both SHA1 and MD5?)
-Since Bacula maintains a catalog of files, their attributes, and either SHA1
-or MD5 signatures, it can be an ideal tool for improving computer security.
-This is done by making a snapshot of your system files with a {\bf Verify} Job
-and then checking the current state of your system against the snapshot, on a
-regular basis (e.g. nightly).
-
-The first step is to set up a {\bf Verify} Job and to run it with:
-
-\footnotesize
-\begin{verbatim}
-Level = InitCatalog
-\end{verbatim}
-\normalsize
-
-The {\bf InitCatalog} level tells {\bf Bacula} simply to get the information on
-the specified files and to put it into the catalog. That is your database is
-initialized and no comparison is done. The {\bf InitCatalog} is normally run
-one time manually.
-
-Thereafter, you will run a Verify Job on a daily (or whatever) basis with:
-
-\footnotesize
-\begin{verbatim}
-Level = Catalog
-\end{verbatim}
-\normalsize
-
-The {\bf Level = Catalog} level tells Bacula to compare the current state of
-the files on the Client to the last {\bf InitCatalog} that is stored in the
-catalog and to report any differences. See the example below for the format of
-the output.
-
-You decide what files you want to form your "snapshot" by specifying them in
-a {\bf FileSet} resource, and normally, they will be system files that do not
-change, or that only certain features change.
-
-Then you decide what attributes of each file you want compared by specifying
-comparison options on the {\bf Include} statements that you use in the {\bf
-FileSet} resource of your {\bf Catalog} Jobs.
-
-\section{The Details}
-\index[general]{Details }
-
-In the discussion that follows, we will make reference to the Verify
-Configuration Example that is included below in the {\bf A Verify
-Configuration Example} section. You might want to look it over now to get an
-idea of what it does.
-
-The main elements consist of adding a schedule, which will normally be run
-daily, or perhaps more often. This is provided by the {\bf VerifyCycle}
-Schedule, which runs at 5:05 in the morning every day.
-
-Then you must define a Job, much as is done below. We recommend that the Job
-name contain the name of your machine as well as the word {\bf Verify} or {\bf
-Check}. In our example, we named it {\bf MatouVerify}. This will permit you to
-easily identify your job when running it from the Console.
-
-You will notice that most records of the Job are quite standard, but that the
-{\bf FileSet} resource contains {\bf verify=pins1} option in addition to the
-standard {\bf signature=SHA1} option. If you don't want SHA1 signature
-comparison, and we cannot imagine why not, you can drop the {\bf
-signature=SHA1} and none will be computed nor stored in the catalog. Or
-alternatively, you can use {\bf verify=pins5} and {\bf signature=MD5}, which
-will use the MD5 hash algorithm. The MD5 hash computes faster than SHA1, but
-is cryptographically less secure.
-
-The {\bf verify=pins1} is ignored during the {\bf InitCatalog} Job, but is
-used during the subsequent {\bf Catalog} Jobs to specify what attributes of
-the files should be compared to those found in the catalog. {\bf pins1} is a
-reasonable set to begin with, but you may want to look at the details of these
-and other options. They can be found in the
-\ilink{FileSet Resource}{FileSetResource} section of this manual.
-Briefly, however, the {\bf p} of the {\bf pins1} tells Verify to compare the
-permissions bits, the {\bf i} is to compare inodes, the {\bf n} causes
-comparison of the number of links, the {\bf s} compares the file size, and the
-{\bf 1} compares the SHA1 checksums (this requires the {\bf signature=SHA1}
-option to have been set also).
-
-You must also specify the {\bf Client} and the {\bf Catalog} resources for
-your Verify job, but you probably already have them created for your client
-and do not need to recreate them, they are included in the example below for
-completeness.
-
-As mentioned above, you will need to have a {\bf FileSet} resource for the
-Verify job, which will have the additional {\bf verify=pins1} option. You will
-want to take some care in defining the list of files to be included in your
-{\bf FileSet}. Basically, you will want to include all system (or other) files
-that should not change on your system. If you select files, such as log files
-or mail files, which are constantly changing, your automatic Verify job will
-be constantly finding differences. The objective in forming the FileSet is to
-choose all unchanging important system files. Then if any of those files has
-changed, you will be notified, and you can determine if it changed because you
-loaded a new package, or because someone has broken into your computer and
-modified your files. The example below shows a list of files that I use on my
-Red Hat 7.3 system. Since I didn't spend a lot of time working on it, it
-probably is missing a few important files (if you find one, please send it to
-me). On the other hand, as long as I don't load any new packages, none of
-these files change during normal operation of the system.
-
-\section{Running the Verify}
-\index[general]{Running the Verify }
-\index[general]{Verify!Running the }
-
-The first thing you will want to do is to run an {\bf InitCatalog} level
-Verify Job. This will initialize the catalog to contain the file information
-that will later be used as a basis for comparisons with the actual file
-system, thus allowing you to detect any changes (and possible intrusions into
-your system).
-
-The easiest way to run the {\bf InitCatalog} is manually with the console
-program by simply entering {\bf run}. You will be presented with a list of
-Jobs that can be run, and you will choose the one that corresponds to your
-Verify Job, {\bf MatouVerify} in this example.
-
-\footnotesize
-\begin{verbatim}
-The defined Job resources are:
- 1: MatouVerify
- 2: kernsrestore
- 3: Filetest
- 4: kernsave
-Select Job resource (1-4): 1
-\end{verbatim}
-\normalsize
-
-Next, the console program will show you the basic parameters of the Job and
-ask you:
-
-\footnotesize
-\begin{verbatim}
-Run Verify job
-JobName: MatouVerify
-FileSet: Verify Set
-Level: Catalog
-Client: MatouVerify
-Storage: DLTDrive
-OK to run? (yes/mod/no): mod
-\end{verbatim}
-\normalsize
-
-Here, you want to respond {\bf mod} to modify the parameters because the Level
-is by default set to {\bf Catalog} and we want to run an {\bf InitCatalog}
-Job. After responding {\bf mod}, the console will ask:
-
-\footnotesize
-\begin{verbatim}
-Parameters to modify:
- 1: Job
- 2: Level
- 3: FileSet
- 4: Client
- 5: Storage
-Select parameter to modify (1-5): 2
-\end{verbatim}
-\normalsize
-
-you should select number 2 to modify the {\bf Level}, and it will display:
-
-\footnotesize
-\begin{verbatim}
-Levels:
- 1: Initialize Catalog
- 2: Verify from Catalog
- 3: Verify Volume
- 4: Verify Volume Data
-Select level (1-4): 1
-\end{verbatim}
-\normalsize
-
-Choose item 1, and you will see the final display:
-
-\footnotesize
-\begin{verbatim}
-Run Verify job
-JobName: MatouVerify
-FileSet: Verify Set
-Level: Initcatalog
-Client: MatouVerify
-Storage: DLTDrive
-OK to run? (yes/mod/no): yes
-\end{verbatim}
-\normalsize
-
-at which point you respond {\bf yes}, and the Job will begin.
-
-Thereafter the Job will automatically start according to the schedule you
-have defined. If you wish to immediately verify it, you can simply run a
-Verify {\bf Catalog} which will be the default. No differences should be
-found.
-
-\section{What To Do When Differences Are Found}
-\index[general]{What To Do When Differences Are Found }
-\index[general]{Found!What To Do When Differences Are }
-
-If you have setup your messages correctly, you should be notified if there are
-any differences and exactly what they are. For example, below is the email
-received after doing an update of OpenSSH:
-
-\footnotesize
-\begin{verbatim}
-HeadMan: Start Verify JobId 83 Job=RufusVerify.2002-06-25.21:41:05
-HeadMan: Verifying against Init JobId 70 run 2002-06-21 18:58:51
-HeadMan: File: /etc/pam.d/sshd
-HeadMan: st_ino differ. Cat: 4674b File: 46765
-HeadMan: File: /etc/rc.d/init.d/sshd
-HeadMan: st_ino differ. Cat: 56230 File: 56231
-HeadMan: File: /etc/ssh/ssh_config
-HeadMan: st_ino differ. Cat: 81317 File: 8131b
-HeadMan: st_size differ. Cat: 1202 File: 1297
-HeadMan: SHA1 differs.
-HeadMan: File: /etc/ssh/sshd_config
-HeadMan: st_ino differ. Cat: 81398 File: 81325
-HeadMan: st_size differ. Cat: 1182 File: 1579
-HeadMan: SHA1 differs.
-HeadMan: File: /etc/ssh/ssh_config.rpmnew
-HeadMan: st_ino differ. Cat: 812dd File: 812b3
-HeadMan: st_size differ. Cat: 1167 File: 1114
-HeadMan: SHA1 differs.
-HeadMan: File: /etc/ssh/sshd_config.rpmnew
-HeadMan: st_ino differ. Cat: 81397 File: 812dd
-HeadMan: st_size differ. Cat: 2528 File: 2407
-HeadMan: SHA1 differs.
-HeadMan: File: /etc/ssh/moduli
-HeadMan: st_ino differ. Cat: 812b3 File: 812ab
-HeadMan: File: /usr/bin/scp
-HeadMan: st_ino differ. Cat: 5e07e File: 5e343
-HeadMan: st_size differ. Cat: 26728 File: 26952
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/ssh-keygen
-HeadMan: st_ino differ. Cat: 5df1d File: 5e07e
-HeadMan: st_size differ. Cat: 80488 File: 84648
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/sftp
-HeadMan: st_ino differ. Cat: 5e2e8 File: 5df1d
-HeadMan: st_size differ. Cat: 46952 File: 46984
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/slogin
-HeadMan: st_ino differ. Cat: 5e359 File: 5e2e8
-HeadMan: File: /usr/bin/ssh
-HeadMan: st_mode differ. Cat: 89ed File: 81ed
-HeadMan: st_ino differ. Cat: 5e35a File: 5e359
-HeadMan: st_size differ. Cat: 219932 File: 234440
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/ssh-add
-HeadMan: st_ino differ. Cat: 5e35b File: 5e35a
-HeadMan: st_size differ. Cat: 76328 File: 81448
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/ssh-agent
-HeadMan: st_ino differ. Cat: 5e35c File: 5e35b
-HeadMan: st_size differ. Cat: 43208 File: 47368
-HeadMan: SHA1 differs.
-HeadMan: File: /usr/bin/ssh-keyscan
-HeadMan: st_ino differ. Cat: 5e35d File: 5e96a
-HeadMan: st_size differ. Cat: 139272 File: 151560
-HeadMan: SHA1 differs.
-HeadMan: 25-Jun-2002 21:41
-JobId: 83
-Job: RufusVerify.2002-06-25.21:41:05
-FileSet: Verify Set
-Verify Level: Catalog
-Client: RufusVerify
-Start time: 25-Jun-2002 21:41
-End time: 25-Jun-2002 21:41
-Files Examined: 4,258
-Termination: Verify Differences
-\end{verbatim}
-\normalsize
-
-At this point, it was obvious that these files were modified during
-installation of the RPMs. If you want to be super safe, you should run a {\bf
-Verify Level=Catalog} immediately before installing new software to verify
-that there are no differences, then run a {\bf Verify Level=InitCatalog}
-immediately after the installation.
-
-To keep the above email from being sent every night when the Verify Job runs,
-we simply re-run the Verify Job setting the level to {\bf InitCatalog} (as we
-did above in the very beginning). This will re-establish the current state of
-the system as your new basis for future comparisons. Take care that you don't
-do an {\bf InitCatalog} after someone has placed a Trojan horse on your
-system!
-
-If you have included in your {\bf FileSet} a file that is changed by the
-normal operation of your system, you will get false matches, and you will need
-to modify the {\bf FileSet} to exclude that file (or not to Include it), and
-then re-run the {\bf InitCatalog}.
-
-The FileSet that is shown below is what I use on my Red Hat 7.3 system. With a
-bit more thought, you can probably add quite a number of additional files that
-should be monitored.
-
-\section{A Verify Configuration Example}
-\index[general]{Verify Configuration Example }
-\index[general]{Example!Verify Configuration }
-
-\footnotesize
-\begin{verbatim}
-Schedule {
- Name = "VerifyCycle"
- Run = Level=Catalog sun-sat at 5:05
-}
-Job {
- Name = "MatouVerify"
- Type = Verify
- Level = Catalog # default level
- Client = MatouVerify
- FileSet = "Verify Set"
- Messages = Standard
- Storage = DLTDrive
- Pool = Default
- Schedule = "VerifyCycle"
-}
-#
-# The list of files in this FileSet should be carefully
-# chosen. This is a good starting point.
-#
-FileSet {
- Name = "Verify Set"
- Include {
- Options {
- verify=pins1
- signature=SHA1
- }
- File = /boot
- File = /bin
- File = /sbin
- File = /usr/bin
- File = /lib
- File = /root/.ssh
- File = /home/kern/.ssh
- File = /var/named
- File = /etc/sysconfig
- File = /etc/ssh
- File = /etc/security
- File = /etc/exports
- File = /etc/rc.d/init.d
- File = /etc/sendmail.cf
- File = /etc/sysctl.conf
- File = /etc/services
- File = /etc/xinetd.d
- File = /etc/hosts.allow
- File = /etc/hosts.deny
- File = /etc/hosts
- File = /etc/modules.conf
- File = /etc/named.conf
- File = /etc/pam.d
- File = /etc/resolv.conf
- }
- Exclude = { }
-P
-Client {
- Name = MatouVerify
- Address = lmatou
- Catalog = Bacula
- Password = ""
- File Retention = 80d # 80 days
- Job Retention = 1y # one year
- AutoPrune = yes # Prune expired Jobs/Files
-}
-Catalog {
- Name = Bacula
- dbname = verify; user = bacula; password = ""
-}
-\end{verbatim}
-\normalsize