Directory Integrity Checks - Use Scan Data as Expected Value

A Directory Integrity Control checks the integrity of files and directories that you’re interested in and gives you up to the minute visibility on changes to files/directories and their permissions. It calculates hash based file integrity at the directory level, and automatically updates snapshots after changes.

Set up controls for Windows | Unix 

 

Ready to scan?

You must select this setting in the option profile you apply to your scan: Enable Dissolvable Agent. When editing your profile, you'll see this setting under Dissolvable Agent (in the Scans section).

 

Use scan data as expected value

Files/directories selected are based on the control's scan parameters. Be sure to take these steps: 1) enable "Use scan data as expected value" (under Control Technologies) in the control, and 2) enable "Auto Update expected value" in the option profile you'll use for scanning.

If you have Cloud Agent, 1) enable "Use scan data as expected value" (under Control Technologies) in the control, and 2) enable "Auto Update expected value" in the Agent Scan tab. When enabled, we’ll update this control’s expected value with the actual value collected from each cloud agent scan. Know more about Agent UDC Support.

To generate reports reflecting results for each agent scan, schedule your compliance reports to run in between the scan interval defined for your agents.

Sample 1 - Expected and Actual digest values match (Pass). This means no changes were found.

 

Sample report with Directory Integrity Check - Expected and Actual values match (Pass)

Sample 2 - Expected and Actual digest values do not match (Fail). This means there were changes to files/directories as listed.

 

Sample report with Directory Integrity Check - Expected and Actual values do not match (Fail)

Customize file/directory selection

When "Use scan data as expected value" is disabled you can customize what directories/files are included in snapshots used to calculate file integrity and Pass/Fail status (under Default Values). To get started we recommend you set the default value to .* (to match any value) and then check the actual value returned by the scan in a policy report. Then you can copy/paste the actual value into your policy.

Sample 1 - Expected and Actual values match (Pass). This means no changes were found.

 

Sample report with Directory Integrity Check - Expected and Actual values match (Pass)

Sample 2 - Expected and Actual values do not match (Fail). This means there were changes to files/directories as listed. You'll notice that the digest for File1.txt is different because the file contents changed.

Sample report with Directory Integrity Check - Expected and Actual values do not match (Fail)

Handling Errors

In cases where the error codes 2, 27, 28, or 45 are returned then the control posture is not marked as Error in the report. Depending on when error is encountered the posture of the control is marked Pass or Fail.

Base directory does not exist in the 1st scan

Base directory does not exist in the 1st scan

Base directory exists in the 1st scan

Base directory exists in the 1st scan

 

Looking for something else?

Check out the User-Defined Controls FAQs