File System Integrity
File integrity (monitoring) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline.
This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file.
We can centrally track all changes happening to specific files and folders such as when some files and folders are created, accessed, viewed, deleted, modified, renamed and much more. We can even have real time alert notification upon changes occurring to files and folders.
A snapshot of file system in trusted state taken for baseline and deviations from baseline indicate intrusion.
Checksum or Cryptographic hashes of files also taken and change in checksum or hash detect file alteration.
A checksum is a sequence of numbers and letters used to check data for errors. If you know the checksum of an original file, you can use a checksum utility to confirm your copy is identical.
Typical algorithms used to generate checksum include MD5, SHA-1, SHA-256, and SHA-512. The algorithm uses a cryptographic hash function that takes an input and produces a string (a sequence of numbers and letters) of a fixed length. The input file can be a small 1 MB file or a massive 10 GB file, but the checksum will be of the same fixed length. They are known as hash values or hashes as well. You’ll see big difference in checksum even if the change in any file or folder is small.
We create baseline file so that we can compare it with the changed files later on. But what if the attacker changes the baseline files? We can’t let that happen.
We need to hide those contents of baseline file which is called data masking or data obfuscation. That is the process of hiding original data with modified content.
The idea is to store the contents in a binary rather than plain text. We can also store the baseline file as read only file so that it will prevent anyone to alter the content. Also, we can make it necessary to enter admin’s passwords whenever anyone wants to alter the baseline contents.