File integrity monitoring
Encyclopedia
File integrity monitoring is an Internal control
or Process
that performs the act of assuring Integrity
of Operating system
and Application software
files
using a verification method between the current file state and the known, good baseline
. This comparison method often involves calculating a known Checksum
of the operating system or file's original baseline and comparing with the calculated checksum of the current state of the operating system or application file.
Generally, the act of performing File integrity monitoring is automated using internal controls such as an application or process
. Such monitoring can be performed randomly
, at a defined polling
interval, or in real-time
.
indicate File integrity monitoring as a requirement
. Several examples of compliance objectives with the requirement for File integrity monitoring include:
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
or Process
Process
Process or processing typically describes the action of taking something through an established and usually routine set of procedures or steps to convert it from one form to another, such as processing paperwork to grant a mortgage loan, processing milk into cheese, or converting computer data...
that performs the act of assuring Integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
of Operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
and Application software
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
files
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
using a verification method between the current file state and the known, good baseline
Baseline (configuration management)
Configuration management is the process of managing change in hardware, software, firmware, documentation, measurements, etc. As change requires an initial state and next state, the marking of significant states within a series of several changes becomes important...
. This comparison method often involves calculating a known Checksum
Checksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
of the operating system or file's original baseline and comparing with the calculated checksum of the current state of the operating system or application file.
Generally, the act of performing File integrity monitoring is automated using internal controls such as an application or process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
. Such monitoring can be performed randomly
Randomness
Randomness has somewhat differing meanings as used in various fields. It also has common meanings which are connected to the notion of predictability of events....
, at a defined polling
Polling (computer science)
Polling, or polled operation, in computer science, refers to actively sampling the status of an external device by a client program as a synchronous activity. Polling is most often used in terms of input/output , and is also referred to as polled or software driven .Polling is sometimes used...
interval, or in real-time
Real-time computing
In computer science, real-time computing , or reactive computing, is the study of hardware and software systems that are subject to a "real-time constraint"— e.g. operational deadlines from event to system response. Real-time programs must guarantee response within strict time constraints...
.
Compliance Objectives
Multiple compliance objectivesRegulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
indicate File integrity monitoring as a requirement
Requirement
In engineering, a requirement is a singular documented physical and functional need that a particular product or service must be or perform. It is most commonly used in a formal sense in systems engineering, software engineering, or enterprise engineering...
. Several examples of compliance objectives with the requirement for File integrity monitoring include:
- PCI-DSS - Payment Card Industry Data Security Standard (Requirement 11.5)
- SOX - Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
(Section 404) - NERC SIPNatural Environment Research CouncilThe Natural Environment Research Council is a British research council that supports research, training and knowledge transfer activities in the environmental sciences.-History:...
- Nerc Standard SIP (System Security R15-R19) - Department of Defense Information Assurance (IA) ImplementationDepartment of Defense Information Assurance Policy Chart (DoD IA Policy Chart)Department of Defense Information Assurance Policy Chart is a chart developed by Information Assurance Technolgy Analysis Center for the US Defense-wide Information Assurance Program behalf of the Deputy Assistant Secretary of Defense for Cyber Identity and Information Assurance that pulls...
(DODI 8500.2) - FISMA - Federal Information Security Management ActFederal Information Security Management Act of 2002The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 . The act recognized the importance of information security to the economic and national security interests of the United States...
(NIST SP800-53 Rev3) - HIPAA - Health Insurance Portability and Accountability Act of 1996Health Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
(NIST Publication 800-66)
Applications
Many File integrity monitoring applications exist to perform scheduled, polling interval, or real-time scanning.- CimTrakCimTrakCimTrak is a commercially available File integrity monitoring and Regulatory compliance Auditing software solution. CimTrak assists in ensuring the availability and integrity of critical IT assets by instantly detecting the root-cause and responding immediately to any unexpected changes to the...
- Osiris
- OSSECOSSECOSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
- SamhainSamhain (software)Samhain is an integrity checker and host intrusion detection system that can be used on single hosts as well as large, UNIX-based networks. It supports central monitoring as well as powerful stealth features to run undetected in memory, using steganography.-Main features:* Complete integrity...