This disclosure relates generally to the field of automated configuration management of computer systems. Computer systems frequently use a number of different files to control, manage and track the configuration and operation of system hardware and software. It is thus important for a configuration management system to track changes to files that might affect the operation of such systems or that provide important and/or sensitive information related to such operation. These files may include system configuration files, log files, critical system files, and application data files, just to name a few examples. Tracking these files may be necessary to provide configuration change audit trails, to identify unauthorized changes, to identify intrusions and intrusion attempts, and to flag and track attempted and actual alterations of audit-related files. This type of file change monitoring is sometimes referred to as “file integrity monitoring.” Existing approaches to file change monitoring include periodically parsing the files to identify changes (i.e., “polling” the files), kernel modifications that intercept write operations to the files, and agents that use execution tracing to identify write operations to the files.
One simple polling approach periodically calculates a message digest (also referred to as a checksum or hash code) based on the contents of a monitored file. If the file's hash code differs from a previously calculated and saved hash code, the file has changed and an event is generated indicating that further processing is required. This approach, however, results in events being triggered by any file change, regardless of the change's significance. A more sophisticated polling approach parses a monitored file and then models the file's content to determine whether specific file elements have been changed. This second approach avoids the lack of granularity of the first approach, and only generates events if a file element of interest has changed. Still, because both approaches use polling, there is a delay between the change occurrence and its detection. This detection latency becomes even greater as more files are monitored by a system using this approach, the polling interval being necessarily increased to reduce the load that the file monitoring tasks impose on a computer system.
The use of kernel modifications to intercept write operations directed to monitored files avoids latency issues, as write operations will immediately generate an event. Interception of write operations does not preclude modeling file contents, making it possible to identify the specific parameters being modified so that events are only generated for file element changes of interest. However, such kernel modifications are difficult to maintain across multiple platforms, as they may conflict with functional or security patches released over time by the operating system vendor. Consequently, many system users and operators may not be willing to allow such operating system modifications.
Agents that perform application tracing detect changes in monitored files by tracing the execution path of every task executing on a particular computer system and generating an event when a write-locked file handle is opened for a file of interest. While this approach also avoids polling latency issues, it can impose significant overhead on the monitored system. Furthermore, the use of an agent-based architecture, required for this approach, is not always desirable.