- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
1: Document and Verify Characterization Trust Assumptions
During the process of generating all characterization information (for both baselining and comparison purposes), explicitly document trust assumptions and continually verify that the results can be trusted. Trust assumptions will likely address these areas:
Operating system kernel (loaded from virus-free, secure distribution media)
Media where characterization tools are stored and from which they are installed
Cryptographic checksums and other authoritative reference data that constitute characterization data
For example, in support of generating cryptographic checksums, the MD5 program generates a unique, 128-bit cryptographic message digest value derived from the contents of a file. This value is considered to be a highly reliable fingerprint that can be used to verify the integrity of the file's contents. If as little as a single bit value in the file is modified, the MD5 checksum for the file changes. Forgery of a file in a way that causes MD5 to generate the same result as that for the original file is considered extremely difficult.
A set of MD5 checksums for critical system, application, and data files provides a compact way of storing information for use in periodic integrity checks of these files.
Details for the MD5 cryptographic checksum program are provided in RFC 1321. Source code and additional information are available via FTP from http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html.