Putting a whole linux server under source control (git)

git security linux rootkit

I am thinking about putting my whole linux server under version control using git. The reason behind it being that that might be the easiest way to detect malicious modifications/rootkits. All I would naively think is necessary to check the integrity of the system: Mount the linux partition every week or so using a rescue system, check if the git repository is still untempered and then issue a git status to detect any changes made to the system.

Apart from the obvious waste in disk space, are there any other negative side-effects?

Is it a totally crazy idea?

Is it even a secure way to check against rootkits since I most likely would have to at least exclude /dev and /proc ?


Solution 1:

That's a "Bad Idea" (tm). Aside from all else, your repository will run slow as all heck, and get worse as every revision is kept.

Try centralised management, like puppet / cfengine / chef. That'll keep things as you expect, and revert unexpected changes.

Combine that with something like iwatch to get emails of unauthorised file alterations.

Combine that further with rpm/deb files if needed to roll out custom applications.

Throw in something like rkhunter or chkrootkit now and then for kicks and you should be good to go.

Job done.

Solution 2:

Another alternative is to set up tripwire, which is GPL'ed software that spiders through all the important files on your system and determines which have changed in ways you have defined as unacceptable. Change can be defined as simply as mtime, through inode number, all the way to cryptographically-strong checksums.

It takes some setting up and tuning if you don't want to get a whole lot of reports every night about changed files in /var/run, changes in DHCP client files in /etc, and the like, but if you do go to that trouble, it can be very helpful indeed.

The database of file properties is signed with a key not known to the machine, which helps you have confidence that no tool has maliciously changed the database or the tripwire binaries. For complete certainty you can burn a copy of the tripwire tools and databases to a read-only medium, which can be mounted on the server and used to verify all changes since the disc was burned, if a complete forensic analysis is needed.

If you're going to do this, it's quite important to get tripwire set up and running before the machine is deployed into production, or you can never be completely sure that some malicious user didn't have a chance to infect the machine before it was tripwired.

Related

What are Ubuntu cloud images?
"rm: can not remove xxx: No Space left on device" on BTRFS
How to "restart" particular network interface on RHEL?
Should core system servers be able to connect to the internet for maintenance/support?
Connect to a Fortinet VPN with Ubuntu
Modifying columns of very large mysql tables with little or no downtime
Where can I find apache error_log on CentOS
SPF include vs redirect
How to allow elastic load balancer through port 80 in security groups?
SSH garbling characters in vim/nano on remote server
Why isn't my upstart service listed in service --status-all
Cron expression: difference between 0/1, 1/1 and *