Archive for April, 2012

SBDavid

Increasing PHP security php functions

Increasing PHP security php functions

dl — Loads a PHP extension at runtime
This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.

exec — Execute an external program
This function is required for XCart and spellcheck feature of Horde. There is no good thing about letting this function work. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.

fsockopen — Open Internet or Unix domain socket connection
This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.

Implement Periodic Execution of Integrity Checking

By default, AIDE does not install itself for periodic execution.

Implement checking with whatever frequency is required by your security policy.
A once-daily check may be suitable for many environments. For example, to
implement a daily execution of AIDE at 4:05am, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide –check

AIDE output may be an indication of an attack against your system, or it may
be the result of something innocuous such as an administrator’s configuration
change or a software update.

AIDE - Build, Store, and Test Database

Generate a new database:

# /usr/sbin/aide –init

By default, the database will be written to the file /var/lib/aide/aide.db.new.gz.

The database, as well as the configuration file /etc/aide.conf and the binary /usr/sbin/aide (or hashes of these files) should be copied and stored in a secure location. Storing these copies or hashes on read-only media may provide further confidence that they will not be altered.

Install the newly-generated database:

# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a manual check:

# /usr/sbin/aide –check

If this check produces any unexpected output, investigate.

SBDavid

Install AIDE

Install AIDE

AIDE is not installed by default. Install it with the command:

# yum install aide


Customize Configuration File

Customize /etc/aide.conf to meet your requirements. The default configuration is acceptable for many environments.

The man page aide.conf(5) provides detailed information about the configuration file format.

SBDavid

Software Integrity Checking

Software Integrity Checking

The AIDE (Advanced Intrusion Detection Environment) software is included with the system to provide software integrity checking. It is designed to be a replacement for the well-known Tripwire integrity checker.

The RPM software also includes the ability to compare the hashes of installed files with those in its own metadata database. Integrity checking cannot prevent intrusions into your system, but can detect that they have occurred. Such integrity checking software should be configured before the system is deployed and able to provides services to users.

Ideally, the integrity checking database would be built before the system is connected to any network,though this may prove impractical due to registration and software updates.

Next »