[rt-users] How can I detect unauthorized changes to RT?

Michael Erana cto at lanusa.com
Thu Mar 30 05:36:25 EST 2006


Just to expand a bit on derSouris' and Jesse's suggestions;

I'd probably follow this process:

To monitor the actual files and mods:

1. Post install - create a repository on SVN or CVS and commit the base profile as a reference.
2. Secure access to repository to controlled account
3. Create cron job that runs a diff against the files on the file system vs the repository and create a hook script that will e-mail on change detection.

To monitor the DB schema:

1. Post install - dump the schema to file.
2. Commit known good schema into the repository (created from prior phase)
3. Use similar script as in #3 in above phase but first dumps the schema over older version (to refresh) and then compare current snapshot with repository and alert as mentioned before.

That method will actually show you what changed... The tripwire method is good for alerting of a change but I can't recall how far tripwire goes into actually telling you the nature of the change in the files. If I recall correctly tripwire simply does a hash comparison...

Regards,


Michael Eraña, CISSP
CTO
PC Network, Inc.          
eranam at lanusa.com   

 

|=> -----Original Message-----
|=> From: rt-users-bounces at lists.bestpractical.com 
|=> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf 
|=> Of Jesse Vincent
|=> Sent: Wednesday, March 29, 2006 8:17 PM
|=> To: Marc Tisseur
|=> Cc: rt-users at lists.bestpractical.com
|=> Subject: Re: [rt-users] How can I detect unauthorized changes to RT?
|=> 
|=> 
|=> 
|=> 
|=> On Wed, Mar 29, 2006 at 12:29:39PM -0500, Marc Tisseur wrote:
|=> > Greetings,
|=> > 
|=> > I want to monitor my RT installation for unauthorized 
|=> changes. I can 
|=> > use an intrusion tool to detect changes to the files 
|=> (AIDE, Tripwire, 
|=> > etc), but I'm interested in changes to objects that are 
|=> stored in the 
|=> > database itself (e.g. global scrips, templates, custom fields).
|=> > 
|=> > Has anyone implemented a solution for a similar 
|=> requirement, or can 
|=> > offer better suggestions?
|=> > 
|=> 
|=> I've not seen this done before, but the suggestion that you 
|=> dump the relevant tables and look for changes seems sane. 
|=> Whatever you end up with, I'd be thrilled if you could 
|=> document it on http://wiki.bestpractical.com 
|=> 
|=> Thanks,
|=> Jesse
|=> _______________________________________________
|=> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
|=> 
|=> Community help: http://wiki.bestpractical.com Commercial 
|=> support: sales at bestpractical.com
|=> 
|=> 
|=> Discover RT's hidden secrets with RT Essentials from 
|=> O'Reilly Media. 
|=> Buy a copy at http://rtbook.bestpractical.com
|=> 
|=> 
|=> We're hiring! Come hack Perl for Best Practical: 
|=> http://bestpractical.com/about/jobs.html
|=> 



More information about the rt-users mailing list