What are the most common files to check with File integrity monitoring software?

You should monitor (nearly) all the files.

Assuming that this system is just a hash database, then there are some files you should skip:

  • everything in /proc (there's a lot of useful stuff in here for root kit hunters though)
  • log files (there are tools will will do heuristic analysis of these files)
  • files which contain filesystems (this would include loop-back filesystems and database files - but you probably want to check the 'files' inside the file).
  • swap space

(the difficult bit is setting up a process for auditing the changes properly)


Not sure what file integrity monitoring system you're using, but most commercial file integrity monitoring systems such as Verisys and Tripwire can be configured to 'automatically' monitor the relevant files.

For example, you tell them you're running Windows Server 2008 and Microsoft SQL Server 2008, and then they monitor applicable files and registry entries.