IN THIS CHAPTER
Learning why you should be aware of when your files change
Monitoring file integrity with Tripwire
Understanding the basics of Radmind and Samhain
Using Baseline or Sonar to determine what files have changed
Certain files on your computer — word-processing documents, spreadsheets, logs, caches, preference files, and so on — change pretty much every time you use them, and that's completely normal. However, some files should never change unless you explicitly install an update. That includes most of the components of Mac OS X itself, along with the majority of third-party applications. If these important, low-level files are changing without your active involvement, it may be a sign that malware is at work or that a network intruder is modifying your system behind your back.
File integrity monitoring (sometimes referred to as host integrity monitoring) simply means watching for unexpected file changes. If you watch the right files using the right tools, you can receive an appropriate warning when suspicious file modifications take place, enabling you to take immediate corrective action. As a bonus, these same techniques enable you to know with complete certainty exactly what components are copied to your hard disk when you install new software. If you've ever wondered where some mysterious file came from or worried that a program might have installed spyware or other nasty stuff behind your back, you can use the information in this ...