dawgmon - Dawg the Hallway Monitor
The name of this tool is based upon an episode (season 10, episode 10) of South Park in which Cartman is Dawg the Hallway Monitor patrolling the hallways of his school. It's a tool which helps one to monitor changes which have taken place on a Linux-based system since the previous time the tool was ran. One way to use it is to use something like the included sample cronjob to run dawgmon on a regular interval and email the results to the system administrator. This can help with identifying machines upon which nefarious things are happening and monitor who's installing what and where. Please note that any serious kernel backdoor will easily be able to hide itself from this tool and as such it's just one added tool in one's toolkit but it should not relied upon for full security monitoring of Linux machines. It's just one extra option in one's toolbox.
The other way it's useful is by generating a baseline before installing a piece of software. Then after installing this piece of software one will run the tool again and then it's easy to see which changes were made on the system. An example after establishing a baseline and then installing virtualbox on a machine might yield something like this:
# ./dawgmon -gfA
1 change detected (0 warnings)
+ systemd property NNames changed from 259 to 261
# apt install virtualbox-5.1
[...]
# ./dawgmon -gfA
33 changes detected (0 warnings)
+ size of file /etc/group changed from 937 to 954
+ file /etc/group got modified on 2017-09-14 19:29:51.804811 +0200
+ size of file /etc/group- changed from 934 to 937
+ file /etc/group- got modified on 2017-09-14 19:29:14.000000 +0200
+ file /etc/gshadow got modified on 2017-09-14 19:29:51.812811 +0200
+ size of file /etc/gshadow- changed from 777 to 794
+ size of file /etc/mailcap changed from 40777 to 41063
+ file /etc/mailcap got modified on 2017-09-14 19:29:51.632812 +0200
+ file /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=49)
+ file /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=51)
+ file /etc/systemd/system/multi-user.target.wants/vboxdrv.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=35)
+ file /etc/systemd/system/multi-user.target.wants/vboxweb-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=43)
+ file /etc/udev/rules.d/60-vboxdrv.rules got created (owner=root, group=root, perm=-rw-r--r--, size=747)
+ group vboxusers added
+ package virtualbox-5.1 is to be installed
+ suid binary /usr/lib/virtualbox/VBoxHeadless got created (owner=root, group=root, perm=-r-s--x--x, size=158304)
+ suid binary /usr/lib/virtualbox/VBoxNetAdpCtl got created (owner=root, group=root, perm=-r-s--x--x, size=23144)
+ suid binary /usr/lib/virtualbox/VBoxNetDHCP got created (owner=root, group=root, perm=-r-s--x--x, size=158304)
+ suid binary /usr/lib/virtualbox/VBoxNetNAT got created (owner=root, group=root, perm=-r-s--x--x, size=158304)
+ suid binary /usr/lib/virtualbox/VBoxSDL got created (owner=root, group=root, perm=-r-s--x--x, size=158296)
+ suid binary /usr/lib/virtualbox/VBoxVolInfo got created (owner=root, group=root, perm=-r-s--x--x, size=10472)
+ suid binary /usr/lib/virtualbox/VirtualBox got created (owner=root, group=root, perm=-r-s--x--x, size=158304)
+ i-node for listening UNIX socket /run/systemd/private changed from 3428734 to 3452848
+ systemd property NInstalledJobs changed from 8392199 to 3238035463
+ systemd property NNames changed from 261 to 263
+ systemd unit file vboxautostart-service.service added
+ systemd unit file vboxballoonctrl-service.service added
+ systemd unit file vboxdrv.service added
+ systemd unit file vboxweb-service.service added
+ systemd unit 'vboxautostart-service.service' added
+ systemd unit 'vboxballoonctrl-service.service' added
+ systemd unit 'vboxdrv.service' added
+ systemd unit 'vboxweb-service.service' added
Post a Comment