Selecting Data on Important Files and Folders

For each file or folder, it is necessary to have a sufficient amount of information in order to control all the changes that the fie undergoes. This information must include information on the file location (note that this must be a fully qualified path name rather than a relative path). For example, a change introduced to the system variables will result in all of the programs that use relative addressing (despite the convenience involved) being replaced by other programs, possibly modified or tweaked (Fig. 5.5).

Fig. 5.5. The system variables

Other information (Fig. 5.6) that can be of interest includes:

Fig. 5.6. Parameters of the controlled files

• Alternative paths, such as links, alias names and shortcuts

• Folder contents

• File size (in bytes)

• Date and time of file creation and last modification

• File owner and access rights

We have already mentioned the minimum information required to control file and folder integrity. For vitally important files, it may be necessary to know the values of the checksum that can be obtained using various tools intended for integrity control (such as Tripware, MD5, L5, System Scanner and so on). This information, along with backup copies of the log files, network map and other important data necessary for intrusion detection infrastructure, must be stored on the write-protected media (this topic will be covered in detail in Chapter 7). Before you begin selecting this information, it is necessary to determine which data for which files must be controlled. Otherwise, integrity-control system could end up consuming all available system resources and track the parameters of all files. For example, when dealing with log files, there is no need to check the creation date and time, size and checksum, since this data is constantly changing. However, for such files, it is necessary to control parameters such as fie location, owner and access rights.