From the course: CompTIA Security+ (SY0-701) Cert Prep

File integrity monitoring

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

File integrity monitoring

- [Instructor] File integrity monitoring is an important component of a defense-in-depth approach to cybersecurity. We have many different defenses designed to keep our endpoint systems safe. Antivirus software is designed to detect malicious files before they gain a foothold on endpoints. Centralized multifactor authentication prevents attempts to compromise user accounts. Host intrusion detection and prevention systems alert us to potential compromises and sometimes even block them. However, the principle of defense-in-depth suggests that we should have controls in place that can help us detect an intrusion even when those other systems fail. File integrity monitoring is a great example of this type of control. File integrity monitoring systems watch the file system of an endpoint or server for any unexpected changes and then report those changes to an administrator for further investigation. They perform this function by using cryptographic hash functions. Hash functions take an input of any size and transform it into a unique cryptographic hash value. File integrity monitoring systems run every monitored file through a cryptographic hash function and then store the resulting hash in a secure location. They then run the same checks on a periodic basis and compare the new hash values to the old hash values. If the hash changed, the integrity monitoring software knows that the file has changed and can then check its own configuration to see if that change was expected. Administrators of file integrity monitoring systems do need to perform some configuration to help the system determine what changes are expected and which are not. For example, you would certainly expect log files to change regularly on a computer system. If the file integrity monitor alerted each time a new log entry appeared in the file, you'd go nuts and turn it off. However, it would be noteworthy if a log file disappeared or shrank. On the other hand, if some of the core operating system executables change, that could be an indication of a malware infection and should be investigated carefully. File integrity monitoring often comes into an organization as a compliance requirement. For example, the payment card industry data security standard contains a clear requirement for using this technology. You can see here how that plays out in PCI DSS Requirement 11.5. Other organizations may find that their industry-specific regulations or audit requirements demand this type of monitoring. Let's take a look at a file integrity monitoring system in action. I'm here on a Linux server that's running the open source version of Tripwire, a package that implements file integrity monitoring. I'm going to go ahead and run a Tripwire check using the tripwire command with the --check option. Tripwire then scans the file system looking for changes that violate its security policy. And as you can see here, this summary report tells me that there were no violations. This means that none of the monitored files have changed since the last time that I updated the Tripwire database. Now let's go ahead and force a violation. I'm going to go ahead and edit the etc hosts allow file, and I'm just going to add a line to the end of the file for all systems. Let's go ahead and save that file. And now I'm going to rerun the Tripwire --check. I happen to know that the hosts that allow file is one of the files that Tripwire is monitoring on this system. So we run this check, we should see a violation because of that change that we just made. And now we see two violations. The etc directory was modified when I updated this file, and then the etc hosts allow file was modified. File integrity monitoring systems play an important role in a defense-in-depth approach to information security, often serving as the last line of defense against particularly tricky attacks.

Contents