IT Baseline Protection Manual S 4.93 Regular integrity checking

-->

S 4.93 Regular integrity checking

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Regular checking of the file system for unexpected changes helps to detect inconsistencies. In this way it is also possible to detect attacks quickly. If an attack has indeed been made, it is important to reconstruct the attacker's approach. On the one hand this serves the purpose of ensuring that users do not have recourse to corrupted data, and on the other hand of detecting hidden back doors which an attacker may have installed to give him access to the computer at a later date.

Programs which calculate cryptographic checksums across a large proportion of the files in the file system can be used for integrity checking. Tools offering this functionality under Unix include the tripwire program, for example, some versions of which are also available free of charge, or the tool developed on behalf of the BSI for secure Unix administration (USEIT). Comparable programs are also available for the Windows NT operating system. Apart from the file system, it should also be possible to subject the registration keys to an integrity test.

tripwire and USEIT can detect any change to a file system because the checksums no longer match when a change has been made. They not only test whether a file has been modified, they also detect any change to access rights, or if data has been deleted and subsequently reloaded. Given a special setting, all accesses to a file, even read accesses, can be detected in most cases.

In order to prevent the possibility of the program or checksum file being corrupted by an attacker, they should be located on a data medium that optionally allows only read access. However, the checksum file also has to be changed when changes are made to the file system, so floppy disks are recommended for small file systems and removable hard disks for larger systems.

An integrity check should be performed regularly, for example every night. Notification of the outcome should be sent automatically to the administrator by e-mail, even if no changes have been detected.

Additional Controls:

Which integrity checkers are used?

How often are the results of the integrity checkers examined?

How are the checksum file and the program itself protected against manipulation?

July 1999

home