- Determining What Constitutes Normal System Behavior
- Why Characterization Is Important
- 1: Document and Verify Characterization Trust Assumptions
- 2: Characterize Typical Network Traffic and Performance
- 3: Characterize the Expected System Configuration and Performance
- 4: Characterize Expected Process and User Behavior
- 5: Characterize Expected File and Directory Information
- 6: Generate an Inventory of System Hardware
- 7: Recognize the Iterative Nature of Data Collection and Characterization
- 8: Protect Characterization Information, Authoritative Reference Data, and Hardware Inventory to Ensure Their Integrity
- 9: Policy Considerations
5: Characterize Expected File and Directory Information
Characterization practices seek to identify the types of changes that are made in the file system; that is, what files are routinely changed, added, or deleted, and what directories are routinely changed, added, or deleted. For example, if the /etc/passwd file on a UNIX system or C:\autoexec.bat on a Windows 2000 system changes, are these changes routine?
Document the procedure to verify that the files and directories on the organization's systems are as expected and that they were created, modified, accessed, or deleted as expected. The type of information to capture should include the file and directory data described in Table 1 and should answer the following questions:
What files are on my system (name, type, attributes, and so on), and where do they reside?
How are files and directories affected during normal system operation (created, deleted, contents changed, accessed, permissions changed, location changed)?
Capture a cryptographic checksum for all files and directories. For example, Tripwire generates this information, as well as providing information about the state of the collection of files on the system (added or deleted), changes in state (protection changes), and the fact that changes to file contents have or have not occurred (but not what the actual changes are). Commercial versions of Tripwire are available for UNIX and Windows systems. On Windows-based platforms, Tripwire also identifies changes to the registry.
An administrator can define a database of file attributes and the acceptable changes to them. Once configured, Tripwire's output shows all of the anomalous file, directory, and registry behavior in one report. MD5 and other one-way hashing functions (such as SHA-1, RIPEMD-160, and HAVAL) can also be used to generate cryptographic checksums.
References for SHA-1 (Secure Hashing Algorithm), RIPEMD-160, and HAVAL (Hashing Algorithm with VAriable Length) can be found at http://www.users.zetnet.co.uk/hopwood/crypto/scan/md.html.
The following list describes some important files and directories to characterize:
Operating systems and configuration files
Access control lists
Security tools and data such as those used for integrity checking and detecting signs of intrusion
Organizational data such as financial reports and employee information
Public information such as web pages
Some operating systems provide the capability to make files immutable, meaning that they are unchangeable by any process on the system, including system and administrative processes. All operating system and other files that don't need to be modified when a system is running should be made immutable, where possible.
Comparing previous file and directory information with current information allows an administrator to determine whether any file or directory has changed in an unexpected or suspicious manner.