Anything under Windows and Windows/system32 are critical files to monitor. Detecting critical binaries changes, critical file permission modifications and presence of new files in specific directories are the key objectives.
I think that you are probably correct in many respects, but I would think that there are many files in the %WINDIR% and %WINDIR%\system32 that would change as a normal operation (log files, registries, etc) or could come and go (cache files). I, too, would be interested in at least a base file list (or method like "recursively search %WINDIR%\system32 for all .exe, .dll, .ocx, and .sys files excluding directories named LogFiles") but have been unable to find one. I realize that this will differ from situation to situation, but I have to believe that there is a solidly defined starting point out there somewhere. On the other hand, I have been wrong many times before...
the fim templates that are in the contrib list have a basic list of directory parts w/ the includes and excludes i think.
does PCI provide a list ?
Thanks for the response, Bill.
In reviewing the PCI Security Standards Document v3 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf), they state this:
Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
Based on this, I looked to BMC's BSA to be "pre-configured with critical files for the related operating system". I haven't been able to find this though...
Sorry if I hi-jacked your question, Cambel. ;0$
Has anyone looked at Microsoft's Windows Resource Protection or tried to use it in a manner of meeting this requirement? It is available starting with Windows Server 2008. I wonder if there is a way to determine what files this process monitors and leverage that to meet the requirement?