WZFileGuard
Your mission critical servers probably have already been
protected by some kind of firewall (if not, you should implement it asap) and
you probably have already used some kind of IDS software to help you to detect
network security penetrations, but read on, here is a software that could help
you to combat security threats that account for more than 50% of security
penetrations happened on critical business servers.
Our specialized WZFileGuard
software could help you much more efficiently to detect most common potential
security threats:
- Newly
installed SetUID/SetGID programs, or changes to existing SetUID/SetGID
programs: using malicious SetUID/SetGID programs, a normal account could
gain privilege to perform some tasks unauthorized.
- Changes
to system commands or system standard dynamic loadable libraries: by this,
a malicious person could change the behavior of system commands or
application programs to make others to trigger some functions for his/her
own purpose. For example, if /bin/ls command is replaced by a malicious
program, when system administrator logs on and runs the command, with root
privilege, you could imagine the capabilities the command has.
-
Changes to system configuration files: as an example, by changing
/etc/inetd.conf, a malicious person could use a specific network
program to open a back door to let him/her logs on to your server's
root account anytime without need the password.
- New
device files or changes to existing device files: by creating a new device
file with the same major:minor device numbers as /dev/kmem and set the new
device file’s permission to 666, any account on the server will be able to
see all contents in the system memory through this device file even though
the permission of /dev/kmem is still maintained at 600.
- Changes
to symbolic links under system directories: some commonly used system
command names or dynamic library names are symbolic links to real files.
By changing the symbolic links, the same effect could be achieved as to
change the real files.
- Changes
to user profiles (or RC files): by putting in the following command
- bad-program
&
in a user’s .profile, on a banking
application server, a malicious person could use this way to add in false
transactions. On a critical server with account sharing (several system
administrators share the root account; an account is shared by an application
and file transfer service; etc), this could be the most common security threat,
and needs be very closely monitored.
With password protection to registry file
generation/updating and checksum verification, unauthorized changes to
monitored filesystem objects and/or registry files can be easily detected
when the protection passwords are only known to the security officer who
generated the registry and runs the verification.
Compared with other similar software, WZFileGuard
will make security officer monitoring these kinds of security threat or
penetration much more efficient: it will only give you the real relevent
events for you to examine. For example, WZFileGuard
will not report new files under /tmp directory unless they are SetUID/SetGID
programs or device files which are possible to pose security threat: those
SetUID/SetGID files which are not executable by users other than the owner will
not be reported; device files which are only readable/writable by root will not
be reported:
-rws------ 1 root bin 9876 Jan 1 2002 /tmp/badfile
crw------- 1 root sys 1, 1 Jan 1 1970 /tmp/dev-mem
Here, although /tmp/badfile is SetUID to root, but no other users have the
permission to execute it, so WZFileGuard will not alert you about this
file's existence. Similarly, even though /tmp/dev-mem points to the same device
as /dev/mem, and this is a very security important device, WZFileGuard
will not alert you about it: it is not a security threat.