Monday, January 14, 2013

Basics FIM-ing

What's FIM?
FIM stands for 'File Integrity Monitoring'. It's a host-based IDS that detects any changes to files, especially those which sits in critical directories such as /etc/, /boot/, /lib/modules, /root/ or in windows your system or system32 folder. You get to pick and choose ;)

How does it work?
The FIM will do a hash (MD5, SHA-1, etc) on the target file or directory that is chosen to protect, and then securely keep this 'hash' as a BASELINE. So periodically, the FIM will do same hashing task but compare it with the BASELINE 'hashes' generated previously.
e.g. I want to monitor /folderX/ and its contents.
The FIM can be set to trigger warning if:
#1 Attackers add/remove files within /folderX/
#2 Attackers EDIT one of my existing files within /folderX/

This means that if any attacker attempts to upload foreign objects, be it malware or a netcat program into the monitored system, the FIM will trip and the administrators will start their prowl. 

So, what's cooking?
To avoid such IDS, the first step is to play around with one in your own lab environment. So I've downloaded Tripwire ( on my Debian Raspberry PI to experiment around a little. If you're using Debian, you can get it by:
sudo apt-get install tripwire

* If you get some funky error messages, do this first: 
sudo apt-get update

Setting up isn't hard. To trigger the Tripwire for testing purposes, just add a random txt file in your /root/: 
sudo touch /root/ intrusion_vector.txt
And it should trip when you do a:
sudo tripwire --check 
But of course, this is NOT the full instructions. There are config and policy files to talk about. The steps from  "compiling" the policy files, generating the baseline database and to the cron job that continually performs the --check command, I'm not really inclined to explain them as I've found one site which is extremely helpful. So I'll recommend Meryll Larkin's tutorial to Tripwire:
She's a lifesaver to setting this FIM up! :) Thanks Larkin.

If you need some help, feel free to drop your comments below and I'll see what I can do.

Peace out,

No comments:

Post a Comment