The term “file integrity monitoring” was introduced in 2001 as a security specification as part of the PCI standard.
It basically covers the technology that monitors and detects changes in files that may indicate a cyber attack. File integrity monitoring is a critical security control, that needs to be simple to setup and configure. Furthermore, it needs to be more than a simple change detection. The fundamental technology needs to be tamperproof and the alerting needs to live out of reach of the monitored system.
File integrity process requires the following steps:
Its as simple as “Every security breach begins with a single change”!
Its very common for attackers to start with a single change and monitor the system behaviour and if something is added to the log files.
When it comes to configuration files, even a small manipulation in one file can put your whole network at risk. File integrity monitoring, is about tracking these changes of files you want to protect.
It all starts with setting the baseline using the integrity of a file or a whole folder and add alerting to any unexpected change that might point to a security risk or a compromise. Whether it’s a website hack, a phishing scam, malware, ransomware or insider threat, your solution should alert you immediately.
The best file integrity monitoring fails, if someone can either manipulate the baseline or deactivate the alert.
CodeNotary brings a huge advantage compared to other solutions out there: its base is tamperproof!
The complete process uses tamperproof storage and alerting systems independent of your systems or environments.
To start your file integrity monitoring the only requirement is a local installation of the CodeNotary vcn command line. You can find the latest release here:
and the documentation here:
When setting up your account, you also create your credentials to start notarizing files and folders. That the notarization process will be used to set the file integrity baseline as well as the alert, when a change is detected.
To connect your local system with your CodeNotary identity, you can simply type
To setup the first file integrity monitoring alert, just use the vcn notarize command and include the alert flag. In the following example we notarize the network interface config file (netplan) as well the SSH (/etc/ssh) folder, that needs integrity monitoring as well.
# notarize netplan configuration file vcn notarize --create-alert --alert-name "netplan config of DESKTOP-82S443U" /etc/netplan/50-cloud-init.yaml
Now we notarize the /etc/sshfolder as well, to detect any changes to our secure shell settings.
vcn notarize --create-alert --alert-name "ssh config of DESKTOP-82S443U" --no-ignore-file dir:///etc/ssh
You might have seen the –no-ignore-file flag. We used that flag to disable the creation of the .vcnignore file inside of the /etc/ssh directory, because our user has no permission to write into that folder. But that also deactivates the change details, like added, modified or deleted file name.
To make sure the file changes inside the folder (where the user has no write permission) are still tracked, please use the –read-only flag.
vcn notarize --create-alert --alert-name "ssh config of DESKTOP-82S443U" --read-only dir:///etc/ssh
To activate the file integrity monitoring, you can simply run the integrity verification check:
vcn authenticate --alerts
It also makes sense to add that command to your cron job.
# add the following line to /etc/crontab, sudo nano /etc/crontab: */5 * * * * dennis /usr/local/bin/vcn authenticate --alerts # one command, as elivated user: echo "*/5 * * * * username /usr/local/bin/vcn authenticate --alerts" >> /etc/crontab
That cron job runs every 5 minutes the CodeNotary authenticate job. As CodeNotary has a “dead man switch” built in, an alert will be triggered as well, if no authenticate command will be received for one hour.
When logging into the CodeNotary dashboard, you can find your configured file integrity monitoring alerts in the Alerts section. That way you can see all the alerts of all your systems.
or you can use the vcn command line as well to see just the alerts of the local system:
vcn alerts list
As long as no one tampered with your files or folders, you don’t receive any alerts by email or shown within the dashboard.
But when the file integrity changes, you immediately get an email alert:
For security reasons, we don’t disclose more information, but you can click the dashboard link and login to see all details.
If you don’t want to receive the alerts anymore, you can either acknowledge it or deactivate the alert completely.
All alert and file integrity data including history is stored immutable, you need to create a new alert if the file or folder changes are ok and intended and deactivate the “old” alert.
We definitely recommend to create a special user account for all file integrity checks that never logs in. That way you can enable an even more secure monitoring system to alert you whenever important data are changed.
There is no excuse anymore to have others hijack or manipulate your system configuration files or important data. Using CodeNotary, you get an service that fulfills all the requirements for a secure and tamperproof file integrity monitoring. Protect your cloud services, protect your most important and critical data and set up alerts for any file or folder change that might happen.