General security

Introduction to Controlling the Integrity of the File System

Adrian Stolarski
September 19, 2012 by
Adrian Stolarski

Do you remember my article about physical security? If so, this article can be seen as its development. If there it is more focused on the security of an organization, I think I now will give two, maximum three articles on physical security of our own PC. However, I have a modest and quiet hope that they are useful for administrators to Linux and Unix, and not just their regular users.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Sometimes it happens that an attacker manages to take control of our system. Then their first step is to modify the system in such a way that the intrusion detection system is unable to perform its functions. How can we be safe from this threat? We can do only one thing, namely, we can carry out such a thing as checking the integrity of our system before it is about to start.

This article is not intended, contrary to appearances, only for administrators' operating systems. For sure it will be useful for all the other people who want to have a little bit of confidence that in their absence, none of the intruders made any changes to the software that is already installed on your computer.

How Can We Control the Integrity of the Files?

Of course, we can do this in a number of different ways. Some of them are better than others. All somehow can protect the integrity of the file system. A simple and accessible method to everyone is certainly to compare the file name with a predetermined pattern. We also compare in this way the size of the file, the time of last modification, and access rights.

But will we know whether such an approach is able to provide us with 100% security? Of course not, just that the intruder knows what he's doing. Remember that if you are making changes in a file, we really do not necessarily have to change its size. So it is the time of last modification and access rights. They can also be very easily modified by any clever intruder.

Checking File System Integrity Using the Hash Function

Of course there is also another way, but in reality it is only slightly better than the first. It involves calculating the checksum file, and then comparing them to the model that already exists in our country. As we often see on the Internet, either by downloading software from GitHub or party software companies, very often they also offer such things as software checksum. Mostly they use this for purposes such cryptographic algorithms like MD5 or SHA algorithms family.

It is one of the approaches which really gives you a bit more assurance that it will detect a violation of the integrity of files. Why is this happening? Because one of the characteristics of the hash function is a hash value. Although this way is not an easy task, in fact it is the opposite, namely when it comes to finding a hash function, the data giving the shortcut is really very difficult. In addition, this step also has some drawbacks.

One of them is that in spite of all, we need to store in a safe place hashes for each file in the system. It is an error to store the hash function together with the files to which they relate. Once an attacker can steal our patterns, he can easily change things in any way, not only the file to which it refers, but also the value of the hash function, which actually describes the file.

A Digital Signature and File System Integrity

There is also a third solution, which virtually eliminates the disadvantages of both the solutions of the first and second. It is the digital signature of each file. In this article I will describe from start to finish, how to generate a digital signature, and I'll do just a quick introduction to the technology. Now, to perform a digital signature, we use something called the private key, but if you want to check if it is correct, we use the public key.

Now, some may think that the keys are easy to break. Well, nothing could be more wrong. The two keys are related in such a way that it is not really possible to get the private key from the public key. Currently it is not possible to determine the key within a reasonable time. Consider, however, also a downside to this solution. Now, all kinds of algorithms for calculating and generating the digital signature are actually much more complex than those used to generate the checksums of files.

Need to Clarify - What Really is a Hash Function?

A hash function, which is used in both types of these algorithms, is a feature that converts any data or data string with a number, the length of which is pre-determined by the data hashing algorithm. With the use of most hash functions this may result. A problem can arise if two files have the same abbreviation system. So as we see, for each hash collisions can happen. The area of each hash function is always greater than its counterdomain.

The field hash function is a set of possible input data, while the counterdomain is a number of possible shortcuts. Of course you can always find the two sets of data, which will give the same acronym, but in practice it is really very time consuming and for this purpose should be done by brute force search. The editorial is InfoSec Institute's article on this phenomenon and perhaps it will see the light of day.

Devices to Protect the Integrity of the Physical File Systems

But I think we forget here about a very important factor, namely, consider what happens if the intruder already has taken control of our system. Now the attacker can thus modify our operating system or various intrusion detection systems, even the best security system and intrusion detection. Of course, if we put in a little work, we can easily protect ourselves against this risk. The solution to this problem is to control the integrity of your operating system before starting it.

And here we come with a variety of hardware solutions. They are now so specialized that they can be available not only in the form of a USB key, but also in the form of all kinds of memory cards and flash BIOS. Of course, these solutions also have their drawbacks. The first of these will surely be their high price. People inexperienced and unfamiliar with computer science may also not know how to install them on their computer.

In addition, we must take into account that they may not want or be able to work with some of the file systems used in Linux. There may be problems with the operation or ReiserFS file system ext4.

Do We Have Any Alternatives?

Of course we do. There are ways to combine several of the selected methods in a logical and coherent whole. We begin by discussing the first of these, perhaps the best of all. This method is really broken up loading the operating system in two logical steps. Both of them are very simple.

At the beginning of using a trusted medium, whether it is a DVD or CD or USB device, only the core operating system is loaded. It then performs a full check of the integrity of all that is really necessary for the security of the system files that are on your hard drive. In the second step proceeds with loading the system hard drive. And we're just slowly going to prepare for the creation of this type of system. But before we proceed to choose a program that will help us to ensure the integrity of the operating system, learn a little bit about how to run Linux.

Running Linux

As I mentioned, running Linux can be done in two steps, but it can also be done in only one step. In the case of a single stage, loading the kernel image memory with the appropriate parameters needed to run the operating system is via the bootloader, such as LILO or GRUB. Once the kernel takes control of your computer's operating system, the root filesystem is mounted. Then starts the file / etc / init, whose task is to continue to run the system and its initial configuration.

Running a Two-Step

If you are running in two stages there is a tremendous difference. Here, the system start-up program, in addition to the system kernel, loads it into memory or ramdisc, or something that simulates a normal hard drive, but it is in the RAM. Ramdisc contains only a minimal file system. Usually the case is that both the kernel and file system are compressed using gzip compression algorithm, and their unpacking is also involved in the program runtime. Then the kernel takes control of your computer and mounts the file system located on ramdisc.

Then starts the file / linuxrc. The file has only one task: a change in the root file system to the file system, which is the right one and located on the hard drive of your computer. Then, like when you run in a single step, it takes over control of all program / etc / init. It should also be remembered that ramdisc content is always available either in the directory / initrd or on the device / dev / initrd.

When is a Two-step Usually Run?

Booting the system in two steps is done in situations where it is necessary to prepare the file system prior to its installation. For example, it may happen that it is encrypted and must be initialized, and then connect to the device / dev / loop and ask the user for a password, which is needed to decrypt it. All these operations really execute the file / linuxrc placed on ramdisc.

It is any type of executable file. This can be either ELF format file and script, but in the case of a script, the ramdisc should find its interpreter. A two-step charging system will be needed in order to check whether at a time when we did not use a computer, no undesirable change was made to any of the important system files.


Alternatives to a two-step charging are: boot to liveCD and check the integrity of the host system or the use of TripWire snapshots. While the first solution is very easy and requires us to juggle plates, the second solution using TripWire we will address later, because even though it does not provide 100% certainty, it is certainly one of the most interesting.


Despite the fact that among the people involved in security, physical security equipment of the organization is ignored, this is a very interesting topic. It allows almost 100% protection of your computer against foreign interference, and certainly raises the bar higher. Note that sometimes it is a level too high for an attacker. So keep making his life as difficult as you can.

A lot of people forget this, but physical security is the first most important thing you should do. In fact, if we fail on this line it will not help us to have intrusion detection systems, firewalls, or the best software. So why do so many people forget about it? It's like with good programming techniques. Everyone has heard about them, so why would he start using them?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the next article in this series, I will show you to charge a two-step program and control the integrity of the file system and install it yourself and learn how to use it. I just do not know what to use to make it show. Floppy disk? Or maybe a CD? Or flash memory or USB? Sam did not really know, so can you help me choose?

Adrian Stolarski
Adrian Stolarski

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.