Putting a whole linux server under source control (git)
I am thinking about putting my whole linux server under version control using git. The reason behind it being that that might be the easiest way to detect malicious modifications/rootkits. All I would naively think is necessary to check the integrity of the system: Mount the linux partition every week or so using a rescue system, check if the git repository is still untempered and then issue a git status to detect any changes made to the system.
Apart from the obvious waste in disk space, are there any other negative side-effects?
Is it a totally crazy idea?
Is it even a secure way to check against rootkits since I most likely would have to at least exclude /dev and /proc ?
Solution 1:
That's a "Bad Idea" (tm). Aside from all else, your repository will run slow as all heck, and get worse as every revision is kept.
Try centralised management, like puppet / cfengine / chef. That'll keep things as you expect, and revert unexpected changes.
Combine that with something like iwatch to get emails of unauthorised file alterations.
Combine that further with rpm/deb files if needed to roll out custom applications.
Throw in something like rkhunter or chkrootkit now and then for kicks and you should be good to go.
Job done.
Solution 2:
Another alternative is to set up tripwire, which is GPL'ed software that spiders through all the important files on your system and determines which have changed in ways you have defined as unacceptable. Change can be defined as simply as mtime, through inode number, all the way to cryptographically-strong checksums.
It takes some setting up and tuning if you don't want to get a whole lot of reports every night about changed files in /var/run
, changes in DHCP client files in /etc
, and the like, but if you do go to that trouble, it can be very helpful indeed.
The database of file properties is signed with a key not known to the machine, which helps you have confidence that no tool has maliciously changed the database or the tripwire binaries. For complete certainty you can burn a copy of the tripwire tools and databases to a read-only medium, which can be mounted on the server and used to verify all changes since the disc was burned, if a complete forensic analysis is needed.
If you're going to do this, it's quite important to get tripwire set up and running before the machine is deployed into production, or you can never be completely sure that some malicious user didn't have a chance to infect the machine before it was tripwired.