Abstract
This paper describes a method of monitoring file integrity (changes in
file contents) using a collection of embedded sensors within the kernel.
An embedded sensor is a small
piece of code designed to monitor a specific condition and report
to a central logging facility. In our case,
we have built several such sensors into the 4.4 BSD kernel (OpenBSD
V2.7) to monitor
for changes in file contents. The sensors look for files which are marked
with a specific system flag in the inode. When the sensors detect a
file with this flag, they will report all changes to file contents made
through the file system interface. This provides administrators with
a valuable audit tool and supplies more reporting granularity than
conventional file system integrity checkers (such as Tripwire).
Our technique relies on only two fundamental file system characteristics.
First, the file system object must have a provision for storing
file characteristics (i.e. flags) within the object. Secondly,
the file system must present a block device interface to the
operating system.
We show that system performance is not severely hampered by the
presence of this monitoring mechanism given the select set of
files that would be monitored in a conventional
system and the beneficial
audit data that results from monitoring.