Problem: I need to be alerted if my server stops using legitimate name servers for hostname resolution.
As part of a compromise, an attacker may modify how the system converts well known host names into IP addresses. This may be done to ensure the host cannot be patched, or to block updates to security software. Halo FIM can be leveraged to detect this type of activity. Further, Halo itself is immune to these types of attacks.
There are two files we need to monitor for changes:
- /etc/hosts – local database of IP address to hostname mappings
- /etc/resolv.conf – Identifies the name servers to use for hostname resolution