Integrity checking is a method that is used to complement auditing in highly secure environments. The purpose of an integrity checker is to notify the administrator when something in the system has changed. For example, integrity checking can discover if an attacker has replaced a system executable with a Trojan horse program. Integrity checking relies on a trusted program — the integrity checker — to check the integrity of itself (to some extent) and other objects in the NTFS or in the Windows registry.
Integrity checkers store cryptographic checksums of monitored system files and registry objects in an integrity database. The integrity checker must protect this database against tampering. You will need to build the integrity database when the system is installed, before the system is hooked up to a public network.
If you have an integrity checking system, it must be set up to run frequently. It also simplifies monitoring if the system is set up to send reports by email to a central management host.
The major problem with integrity checking is the difficulty of keeping the integrity database up to date. If a system is under constant change, as are the HTML files on a frequently updated web server, the integrity checker reports a massive number of policy violations. For this reason, it’s important to carefully select what to monitor on a system, and to remember to rebuild the integrity database when an authorized change is ...