Configure a Directory Integrity Check (Unix)

This control checks the integrity of files and directories that you’re interested in and gives you up to the minute visibility on changes to files/directories and their permissions. It calculates hash based file integrity at the directory level, and automatically updates snapshots after changes.

The statement you provide is like the control name that describes what it is and how it should be implemented in the environment. You'll also need to decide which category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement.

These are the search parameters you want to use. You'll tell us where to start our search (the base directory) and what you want to match. 

Base Directory

The base directory is the directory you want to search. Be as specific as you can to reduce the search time (there is a time limit). Then make additional settings that tell us how many levels we should search within the directory, and what to do when we come across other file systems and symbolic links.

File/Directory Name

Use these fields to find files and directories based on the name. You'll notice that * is used by default for the File Name Include and Directory Name Include, meaning that all files will be a match.

Note - When entering a file name, be sure to include only the file name, not the path to the file. When entering a directory name, only include the directory, not a file name.

File System Object Types

Select each file system object type you want to include in the search. You can include all types or limit the search to only select types.

File Owner

Identify the users and groups that you want to match. You can identify users and groups either by name or ID. 

Exclude the users/groups (Agent Only)

Exclude options allow you to find files owned by users/groups and exclude them. Exclude options are only supported by Cloud Agent. When selected, the scan data for the control evaluation is collected by the agent and then filtered by the agent.

To exclude users, enter a comma-separated list of user names and user IDs, and select Exclude the user(s). 

To exclude groups, enter a comma-separated list of group names and group IDs, and select Exclude the group(s). 

Note that the exclude options are disabled if you choose Any User, Any Group or None.

Search Limits

You'll also want to set search limits - the max search time and the max number of results to return. We'll stop the search as soon as we hit one of these limits.


Hash Type - The digest of file/directory changes is calculated at scan time and is used for control evaluation. The hash type identifies the algorithm to be used for computing the file hash. The supported hash types are: MD5 (insecure competitive matching only) 16-byte digest, SHA1 (insecure competitive matching only) 20-byte digest, and SHA256 (Secure) 32-byte digest.

Data Type - The actual value returned for this control is a String, meaning we'll return a string value in the scan results.

Description - The control description will appear in compliance policies and reports. If you change the description at a later time, the description will be updated for all controls that use the same set of parameters.

Your control may apply to many technologies. Select each technology you're interested in and provide a rationale statement and expected value.

Time Saving Tip: If you plan to enter the same settings for each technology you only need to do it once. Make your selections in the "Default Values" section first and then select the check box for each technology you want. You'll see that the settings get copied automatically to each technology that you select.

Make these settings:

Rationale - Enter a rationale statement describing how the control should be implemented for each technology.

Expected Value - You have the following options:

Automatically set the value - The "Use scan data as expected value" option is selected for you initially. This means we’ll set the expected value for you based on the actual value returned by the scan. You'll see "regular expression" for the Operator and "USE_SCAN_VALUE" for the Default Value. 

Manually set the value - If you clear/disable the "Use scan data as expected value" option, then you can customize the directories/files that are included in snapshots used to calculate integrity and Pass/Fail status. Select from the Cardinality and Operator options listed. We recommend you set the Default Value to .* (to match any value) and then check the actual value returned by the scan in a policy report. Then you can copy/paste the actual value into your policy.

See Directory Integrity Checks - Use Scan Data as Expected Value to learn more.

Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://. For example, enter to link to the Qualys web site. Once added users have the option to include references in policy reports.

You'll see the Agent Scan tab in the control when you have Cloud Agent. This tab includes options that apply only when using cloud agent scan data. See Agent UDC Support to learn about these options.


Ready to scan?

You must select this setting in the option profile you apply to your scan: Enable the Dissolvable Agent. When editing your profile, you'll see this setting under Dissolvable Agent (in the Scan section).

Quick Links

Directory Integrity Checks - Use Scan Data as Expected Value

User-Defined Controls

Regular Expressions (PCRE)

Agent UDC Support