Configure a Directory Integrity Check (Unix)

This control checks the integrity of files and directories that you are interested in and gives you up to the minute visibility on changes to files/directories and their permissions. It calculates hash based file integrity at the directory level, and automatically updates snapshots after changes.

Help me with the settings

Identify this control

The statement you provide is like the control name, describing what it is and how it should be implemented in the environment. You need to decide which category the control belongs to. This is important because users can search and filter controls by category and by keywords in the statement.

Scan Parameters

Specify the search parameters you wish to use. Indicate the starting point for the search (base directory) and define the criteria for what you want to find.

Base Directory

To begin, specify the base directory you wish to search, ensuring it is as precise as possible to minimize search time, keeping in mind the time limit. Next, adjust the settings to indicate how many levels deep you want the search to go within the directory, as well as your preferences for handling other file systems and symbolic links encountered during the search.

File/Directory Name

Use these fields to find files and directories based on the name. You can view that * is used by default for the File Name Include and Directory Name Include, meaning that all files are a match.

When entering a file name, be sure to include only the file name, not the path to the file. When entering a directory name, only include the directory, not a file name.

File System Object Types

Select each file system object type you want to include in the search. You can include all types or limit the search to only select types.

File Owner

Identify the users and groups that you want to match. You can identify users and groups either by name or ID.

Exclude the users/groups (Agent Only)

Exclude options allow you to find files owned by users/groups and exclude them. Exclude options are only supported by Cloud Agent. When selected, the scan data for the control evaluation is collected by the agent and then filtered by the agent.

To exclude users, enter a comma-separated list of user names and user IDs, and select Exclude the user(s).

To exclude groups, enter a comma-separated list of group names and group IDs, and select Exclude the group(s).

The exclude options are disabled if you choose Any User, Any Group or None.

Search Limits

Set search limits by defining the maximum search time and the maximum number of results to be returned. The search stops once either of these limits is reached.

Digest

Hash Type
The digest of file/directory changes is calculated at scan time and is used for control evaluation. The hash type identifies the algorithm to be used for computing the file hash. The supported hash types are: MD5 (insecure competitive matching only) 16-byte digest, SHA1 (insecure competitive matching only) 20-byte digest, and SHA256 (Secure) 32-byte digest.

Data Type
The actual value returned for this control is a String, meaning we'll return a string value in the scan results.

Description
The control description will appear in compliance policies and reports. If you change the description at a later time, the description will be updated for all controls that use the same set of parameters.

Control Technologies

Your control may apply to many technologies. Select each technology and provide a rationale statement and expected value.

If you plan to enter the same settings for each technology you only need to do it once. Make your selections in the "Default Values" section first and then select the check box for each technology you want. you can view that the settings get copied automatically to each technology that you select.

Make these settings
Rationale - Enter a rationale statement describing how the control should be implemented for each technology.

Expected Value
You have the following options:

Automatically set the value
The "Use scan data as expected value" option is selected for you initially. This means we’ll set the expected value for you based on the actual value returned by the scan. you can view "regular expression" for the Operator and "USE_SCAN_VALUE" for the Default Value.

Manually set the value
If you clear/disable the "Use scan data as expected value" option, then you can customize the directories/files that are included in snapshots used to calculate integrity and Pass/Fail status. Select from the Cardinality and Operator options listed. We recommend you set the Default Value to .* (to match any value) and then check the actual value returned by the scan in a policy report. Then you can copy/paste the actual value into your policy.

See Directory Integrity Checks - Use Scan Data as Expected Value to learn more.

References

Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://. For example, enter http://www.qualys.com to link to the Qualys web site. Once added users have the option to include references in policy reports.

Agent Scan

you can view the Agent Scan tab in the control when you have Cloud Agent. This tab includes options that apply only when using cloud agent scan data. See Agent UDC Support to learn about these options.

Ready to Scan

You must select this setting in the option profile you apply to your scan: Enable the Dissolvable Agent. When editing your profile, you can view this setting under Dissolvable Agent (in the Scan section).