There are now a number of commercial and open source solutions that can be used to effectively monitor the integrity of host environments. When understood and used correctly, these applications can be very helpful with detecting unauthorized change, conducting damage assessment, and preventing future attacks. With all that is involved in deploying such a system, there are some very important concepts that are often neglected, not understood, or not expressed in the documentation.
The purpose of this article is to highlight the important steps and concepts involved in deploying a host integrity monitoring system. Being aware of these concepts can mean the difference between a useful deployment, and one that is rendered ineffective or more trouble than it is worth.
This article is written with the open source host integrity applications Osiris and Samhain in mind, however the material presented is certainly not unique to these applications.