Difference between revisions of "HIDS 551"
(Created page with "'''Rule ID''' 552 '''Status''' Active rule currently published. '''Description''' This rule is detects when a monitored file changes. This may be an authorized change...") |
Latest revision as of 17:16, 20 October 2012
Rule ID
552
Status
Active rule currently published.
Description
This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further.
Specifically, this rule detects file changes via integrity checks. This alert means that the file has changed.
Guidance
Some files that ASL uses are also monitored for changes to ensure that they are not changed by unauthorized users or via a malicious action. For example, if you change your systems whitelist or blacklist, you should expect ASL to report changes to these files:
/etc/asl/whitelist
/etc/asl/blacklist
However, if you did not change any of ASLs settings, for example your whitelists or blacklists, this may be an indication that a malicious use has changed these on your system. All of ASL's configuration files are stored in /etc/asl. Changes to other directories are not related to the ASL GUI, and may have been conducted via other software, users, or even unauthorized or malicious users. You should always investigate file changes to verify that they were only conducted by authorized parties.
False Positives
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Tuning Recommendations
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References