What is a System Baseline?

Tuesday, September 14, 2010

Jamie Adams


As it pertains to configuration management, let’s define the baseline process.

The identification of significant states within the revision history of a configuration item is the central purpose of baseline identification.[1]

Hold up! What? Let me offer an explanation in terms most system administrators would understand.

You’re the proud parent of a teenage son or daughter. You’re about to leave them home alone for three days for the first time. Before you leave, you take detailed photographs of each room in your house.

When you return, you walk into each room with photographs in hand and examine the room carefully to see if anything has changed. To ground or not ground, that is the question.

Now, fast-forward to the present. You’ve just finished building a series of complex systems hosting an important application. You’ve locked down the systems and passed all of the required security audits and your application is working. So, this is the initial state, good state if you will.

At this point, you would want to take that photograph. Just to name a few things, this photograph should include a detailed inventory of installed software packages and versions, a list of critical files, networking configuration, and general hardware configuration.

As time marches forward, you may have new software updates, removals, additions, and new administrators. All of these could potentially change the behavior of your system which you worked so hard to configure.

When a system or application malfunctions, system administrators immediately begin the fault management process which consists of identification, isolation, and remediation.

Like most administrators, my first response is always “What changed?!?! It was working just fine yesterday!”

Wouldn’t it be cool to quickly take another photograph and compare it to the one you took when everything was working correctly, the good state? This is typically referred to as a “baseline comparison” and it can help identify or eliminate configuration changes as the culprit.

As a best practice, system administrators should periodically perform a baseline comparison to identify changes that could potentially become a fault. In the case of authorized, expected changes the baseline comparison can be used as evidence to your change management process that in fact, a specific change has been completed.

Of course, if all of the changes were authorized you would now consider the last photograph (baseline) as the current, good state.

In many high-availability configurations, you may have systems working in parallel or as a simple fail-over configuration. In these situations, it is critical that the two system configurations be as similar as possible.

So, it would be pretty cool if the baseline (photograph) was in a structured format that allowed the comparison of two systems. Well, Security Blanket can do all of these things for you.

Tracking File Changes

In addition to tracking changes to your network interfaces, routing, hardware, and firewall configuration (iptables) you must monitor critical system configuration files, libraries, and executables.

Not only must you track the ownership and permissions of these files you must be able to detect if the contents have changed.

The most common method of tracking file changes is to record the cryptographic check sum. This is typically done through the use of a cryptographic hash such as SHA1 and the resultant, hexadecimal string is recorded. This is most often referred to as the file’s fingerprint.

Consider the following scenario. Bring up a terminal window and execute the following command:

$ openssl sha1 /etc/hosts SHA1(/etc/hosts)= 8117e722ee3c230be6b68b2c1bebc955bfa62e31

Now edit your /etc/hosts and add an extra space or character anywhere in the file. Execute the above command again and notice the long, hexadecimal string has changed.

By default, when you perform a baseline with Security Blanket it records fingerprints (SHA1) of all files in /etc, /bin, /usr/bin, /usr/sbin, /sbin, and others. This process takes about thirty to sixty seconds depending on the speed of your machine.

Additionally, Security Blanket offers a configurable exclusion list. The directories included in this list will not be inventoried. This is useful in large systems which have shared, attached storage.


Several organizations which provide guidance on secure configurations recommend monitoring configuration changes. In particular “Critical Control 2: Inventory of Authorized and Unauthorized Software”[2] and the U.S. Defense Information Systems Agency UNIX Security Technical Implementation Guide (DISA UNIX STIG). Specifically, the DISA UNIX STIG recommends:

Create & Maintain a System Baseline to help maintain system integrity:

  • GEN000140 - Create and Maintain System Baseline: "Confirm with the SA that a system baseline (all device files, all sgid and suid files, and system libraries and binaries), to include cryptographic hashes of files in the baseline, has been created and is maintained."
  • GEN002380 - SUID Files Baseline
  • GEN002440 - SGID Files Baseline: "If the ownership, permissions, and location of files with the sgid/suid bit set are not baselined with the IAO, then this is a finding."
Once you have created your baseline, move a copy of this baseline off of the system to protect it.
  • GEN000160 – System Baseline Backup on Write-protected Media
Periodically check the system configuration (at least once a week):
  • GEN000220 - System Baseline for System Libraries and Binaries Checking
  • GEN002400 - System Baseline for SUID Files Checkling
  • GEN002460 - System Baseline for SGID Files Checking: "Confirm with the SA that filesystems are checked at least weekly for unauthorized system libraries or binaries or unauthorized modification to authorized system libraries or binaries."
  • GEN002260 - System Baseline for Device Files Checking: "If the system is not checked weekly against the system baseline for extraneous device files, then this is a finding. Ask the SA to show the previous weeks baseline of files."

Performing system baselines can be very helpful and Security Blanket®’s baselining feature compliments its system lock down and assessment technology. Security Blanket's Enterprise Edition will centralize this function and allow you to compare the same machine at any two points in time (states) or two different machines at any two points in time.

Cross-posted from Security Blanket Technical Blog


[1] CMMI Product Team, “Chpt 7, Maturity Level 2: Managed, Configuration Management, SP 1.3,”, in Capability Maturity Model Integration, Version 1.1 (CMMI-SE/SW/IPPD/SS, V1.1): Staged Representation, Carnegie Mellon Software Engineering Institute.

[2] Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines, v2.0, http://www.sans.org/cag/

Possibly Related Articles:
Information Security
Security Management Event Logging
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.