How UNIX/Linux security trap could affect you and why our solution should be used?


In data center, security traps on UNIX/Linux are very easy to set up and are very dangerous. For example, if you have a UNIX machine running very critical financial database, you will have a group of DBAs to support the database. On the machine, there is a dba account which the database uses to run on the machine, and the DBAs will need to use that account to perform database maintenance.

One day, one of the DBAs was punished by the company and he became unhappy with the company. In next few days, he wrote a simple script based on the .profile of the dba account on the machine. In the script, besides the original lines of the .profile, he added some SQL commands and then moves back the original .profile.  When he was on duty to work on the database, he “mv .profile .profile_save” and then put his script as the .profile before logs off from the machine.

A few hours or days later, another DBA was on duty and needed to work on the database, so he logged on to the dba account: without knowing the trap, the trap got triggered, and big money was illegally moved from one customer account to another. This DBA might still not know what happened.

When company found the problem, the money had already gone.

When to find the culprit, the obvious evidence was pointing to the innocent DBA, and probably you will not find clear evidence to capture the real culprit.

Now it should be clear how dangerous the security trap could be, and how easy it could be set up by internal malicious person.

It is not a question whether you should implement some solutions to combat this type of threat, but instead, how to combat this type of threat?

As to combat this type of threat involves detecting file change, so is normal file integrity monitoring software good for this?

If the software can give you trustworthy scan report about file integrity about those files, then after the malicious person set up the trap, if you run the software to scan those files, it should detect that the file got changed. But there are some questions here:

1.     Do you need to log on to the system to run the scan? If yes, then the account you used could have a trap, and when you log on, that trap could get triggered, causing losses for the company.

2.     How long after the trap was set up, the scan was run? What if before you ran the scan, the other DBA already logged on to the system, and the trap already got triggered.

3.     Even when the scan found that the file got changed, would you know what kind of changes were made, were those changes for security trap set up?

Now you can see that just using a file integrity monitoring software is not efficient enough to combat the threat.


WZIS Software’s solution combines WZSysGuard --- a FIM software that gives very trustworthy scan reports/CaclMgr --- a privilege delegation software that delivers very secure privilege delegation service/Apache --- the most widely used open source web server software/PHP --- the commonly used open source web server scripting language, allows your system/application/database administrators to use a web browser to run a scan for possible security trap detection, before logs on to the system; and allows your information/data security officers to use a web browser to verify the change of the file, if it’s a text file. This way, it can significantly reduce the risk of security trap, making your environment much more secure, and good people get better protection.