O'Reilly logo

Mac® Security Bible by Joe Kissell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

23.1. Understanding File Integrity Monitoring

The term file integrity monitoring may sound very high-tech and complicated, but it's a very simple notion: letting you know when files change. Changes to files can range from obvious (deleting a file or adding a new one) to minor (adding data to an existing file) to subtle (changing ownership, permissions, or other metadata without affecting the file's contents). As someone who's concerned about the security of Macs on your network, you should be concerned with things like these:

  • Modifications to the components of Mac OS X itself (particularly anything in the /System folder) — by an installer, user action, or malware — without your permission or knowledge

  • Installation of server applications or other programs that aren't permitted or appropriate for your situation

  • Modification of system-wide preferences, firewall rules, and other vital security settings

  • Deletion of important data (which could mean that a person or a program is trying to cover up misbehavior)

  • Addition of user accounts without your express approval

With file integrity monitoring software, you take a snapshot of your disk as it appears in a known good state (such as right after a clean installation of Mac OS X) and then take additional snapshots on a regular basis, comparing them to the original (or to the previous one, as the case may be). Doing so gives you a clear, complete list of all the files that were different on your Mac between one time and the next. If you see ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required