HIDS 552
Rule ID
552
Status
Active rule currently published.
Description
This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further.
Guidance
Some files that ASL uses are also monitored for changes to ensure that they are not changed by unauthorized users or via a malicious action. For example, if you change your systems whitelist or blacklist, you should expect ASL to report changes to these files:
/etc/asl/whitelist
/etc/asl/blacklist
However, if you did not change any of ASLs settings, for example your whitelists or blacklists, this may be an indication that a malicious use has changed these on your system. All of ASL's configuration files are stored in /etc/asl. Changes to other directories are not related to the ASL GUI, and may have been conducted via other software, users, or even unauthorized or malicious users. You should always investigate file changes to verify that they were only conducted by authorized parties.
False Positives
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Tuning Recommendations
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References