An Embedded Sensor For Monitoring File Integrity

Get BibTex-formatted data

Download

PDF

Author

James P. Early

Tech report number

CERIAS TR 2001-41

Entry type

techreport

Abstract

This paper describes a method of monitoring file integrity (changes in file contents) using a collection of embedded sensors within the kernel. An embedded sensor is a small piece of code designed to monitor a specific condition and report to a central logging facility. In our case, we have built several such sensors into the 4.4 BSD kernel (OpenBSD V2.7) to monitor for changes in file contents. The sensors look for files which are marked with a specific system flag in the inode. When the sensors detect a file with this flag, they will report all changes to file contents made through the file system interface. This provides administrators with a valuable audit tool and supplies more reporting granularity than conventional file system integrity checkers (such as Tripwire). Our technique relies on only two fundamental file system characteristics. First, the file system object must have a provision for storing file characteristics (i.e. flags) within the object. Secondly, the file system must present a block device interface to the operating system. We show that system performance is not severely hampered by the presence of this monitoring mechanism given the select set of files that would be monitored in a conventional system and the beneficial audit data that results from monitoring.

Download

PDF

Date

2002 – 1 – 1

Institution

CERIAS

Key alpha

early

School

Purdue University

Publication Date

1900-01-01

Language

English

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ early,
	title = "An Embedded Sensor For Monitoring File Integrity",
	author = "James P. Early",
	year = "2002",
	month = "1",
	institution = "CERIAS",
	school = "Purdue University",
	day = "1",
	abstract = "This paper describes a method of monitoring file integrity (changes in
file contents) using a collection of embedded sensors within the kernel. 
An embedded sensor is a small
piece of code designed to monitor a specific condition and report
to a central logging facility. In our case,
we have built several such sensors into the 4.4 BSD kernel (OpenBSD
V2.7) to monitor
for changes in file contents. The sensors look for files which are marked
with a specific system flag in the inode. When the sensors detect a
file with this flag, they will report all changes to file contents made
through the file system interface. This provides administrators with
a valuable audit tool and supplies more reporting granularity than
conventional file system integrity checkers (such as Tripwire).

Our technique relies on only two fundamental file system characteristics.
First, the file system object must have a provision for storing
file characteristics (i.e. flags) within the object. Secondly,
the file system must present a block device interface to the
operating system.

We show that system performance is not severely hampered by the
presence of this monitoring mechanism given the select set of 
files that would be monitored in a conventional 
system and the beneficial
audit data that results from monitoring.
",
	language = "English",
}