Integrity Control for Files and Folders

For integrity control, it is necessary to compare the current file parameters, described in the previous section, to the stored standard values of these parameters, so that you can identify any file-system characteristics that were changed since the last check. Detection of the replacement or alteration of operating system or application software files can be done using the operating system's built-in utilities. For example, the find utility (in UNIX) allows the detection of files that were changed during a specified time period [CIAC1-94].

    Luka# find / -mtime -ndays -1s 

or

    Luka# find / -ctime -ndays -1s 

The cmp utility built-in to UNIX is just another tool that enables you to detect changes to specified files or directories. This utility can be used to compare the current versions of files with their standard copies:

    Luka# cmp /home/luka/vi /usr/bin/vi 

If you are working with Windows NT or Windows 2000, you can use the similar built-in OS tool named comp:

    comp c:\winnt\system32\drivers\etc\hosts d:\integrity-archive\OS\    30.12.2001\hosts 

Integrity control can be performed using various methods - from the simplest to the most complicated. It is up to you to select the optimal method to provide a reasonable balance between a high level of security and the efficiency of the system that you are protecting.