Home > Articles > Security > Network Security

  • Print
  • + Share This
From the author of

5: Characterize Expected File and Directory Information

Characterization practices seek to identify the types of changes that are made in the file system; that is, what files are routinely changed, added, or deleted, and what directories are routinely changed, added, or deleted. For example, if the /etc/passwd file on a UNIX system or C:\autoexec.bat on a Windows 2000 system changes, are these changes routine?

Document the procedure to verify that the files and directories on the organization's systems are as expected and that they were created, modified, accessed, or deleted as expected. The type of information to capture should include the file and directory data described in Table 1 and should answer the following questions:

  • What files are on my system (name, type, attributes, and so on), and where do they reside?

  • How are files and directories affected during normal system operation (created, deleted, contents changed, accessed, permissions changed, location changed)?

Capture a cryptographic checksum for all files and directories. For example, Tripwire generates this information, as well as providing information about the state of the collection of files on the system (added or deleted), changes in state (protection changes), and the fact that changes to file contents have or have not occurred (but not what the actual changes are). Commercial versions of Tripwire are available for UNIX and Windows systems. On Windows-based platforms, Tripwire also identifies changes to the registry.

An administrator can define a database of file attributes and the acceptable changes to them. Once configured, Tripwire's output shows all of the anomalous file, directory, and registry behavior in one report. MD5 and other one-way hashing functions (such as SHA-1, RIPEMD-160, and HAVAL) can also be used to generate cryptographic checksums.


References for SHA-1 (Secure Hashing Algorithm), RIPEMD-160, and HAVAL (Hashing Algorithm with VAriable Length) can be found at http://www.users.zetnet.co.uk/hopwood/crypto/scan/md.html.

The following list describes some important files and directories to characterize:

  • Operating systems and configuration files

  • Access control lists

  • Applications

  • Security tools and data such as those used for integrity checking and detecting signs of intrusion

  • Organizational data such as financial reports and employee information

  • User data

  • Public information such as web pages

Some operating systems provide the capability to make files immutable, meaning that they are unchangeable by any process on the system, including system and administrative processes. All operating system and other files that don't need to be modified when a system is running should be made immutable, where possible.

Comparing previous file and directory information with current information allows an administrator to determine whether any file or directory has changed in an unexpected or suspicious manner.

  • + Share This
  • 🔖 Save To Your Account