文件完整性管理概述

什么是文件完整性管理

文件完整性管理功能可实时监控服务器上的关键文件和目录，对创建、修改、删除、移动文件或目录，以及修改文件或目录属性的操作进行告警并记录，有助于用户及时发现可能的攻击性更改。

文件完整性监控原理

通过比对上一次扫描的文件状态和当前文件状态，分析确定文件是否遭到可疑的更改。

文件完整性监控范围

不同操作系统的监控内容和范围如下：

Linux文件完整性监控支持以下两种监控模式：

关键文件完整性检测
实时监控系统关键文件（例如：ls、ps、login、top等），对修改文件内容的操作进行告警并记录，提醒用户关键文件可能被篡改。默认监控文件请参见表1。
关键文件目录变更检测
监控系统文件或目录，对创建、修改、删除、移动文件或目录，以及修改文件或目录属性的操作进行记录，提醒用户文件或目录可能被篡改。默认监控路径日常运营模式请参见表2，护网重保模式请参见表3。

如果您需要自定义添加或删除监控的文件、目录路径，可以修改“文件保护”策略中的“关键文件完整性检测”和“关键文件目录变更检测”部分的内容，详细操作请参考配置策略。

表1 Linux关键文件完整性检测默认监控文件
类型	监控文件
bin	/bin/ls /bin/ps /bin/bash /bin/login
usr	/usr/bin/ls /usr/bin/ps /usr/bin/bash /usr/bin/login /usr/bin/passwd /usr/bin/top /usr/bin/killall /usr/bin/ssh /usr/bin/wget /usr/bin/curl

表2 Linux关键文件目录变更检测默认监控路径（日常运营模式）
文件或目录路径	别名	监控类型
文件或目录路径	别名	监控子目录	监控创建	监控修改属性	监控删除	监控移动	监控修改
/etc/rc.d/rc.local	rx-local	×	√	×	√	√	√
/etc/crontab	crontab	×	√	×	√	√	√
/var/spool/cron/root	spool-cron	×	√	×	√	√	√
/var/spool/cron/crontabs/root	spool-cron	×	√	×	√	√	√
/etc/cron.allow	cron-allow	×	√	×	√	√	√
/etc/passwd	passwd	×	√	×	√	√	√
/etc/profile.d/zzz_euleros_history.sh	zzz_euleros_history_sh	×	√	×	√	√	√
/etc/profile	profile	×	√	×	√	√	√
/root/.bashrc	bashrc	×	√	×	√	√	√
/root/.bash_profile	bash_profile	×	√	×	√	√	√
/root/.cshrc	cshrc	×	√	×	√	√	√
/etc/ld.so.preload	so_preload	×	√	×	√	√	√
/etc/profile.d/sec_euleros_history.sh	sec_euleros_history_sh	×	√	×	√	√	√
/etc/shells	shells	×	√	×	√	√	√
/usr/sbin/adduser	usr_sbin_adduser	×	√	×	√	√	√
/usr/sbin/chkconfig	usr_sbin_chkconfig	×	√	×	√	√	√
/usr/sbin/chroot	usr_sbin_chroot	×	√	×	√	√	√
/usr/sbin/depmod	usr_sbin_depmod	×	√	×	√	√	√
/usr/sbin/fsck	usr_sbin_fsck	×	√	×	√	√	√
/usr/sbin/fuser	usr_sbin_fuser	×	√	×	√	√	√
/usr/sbin/groupadd	usr_sbin_groupadd	×	√	×	√	√	√
/usr/sbin/groupdel	usr_sbin_groupdel	×	√	×	√	√	√
/usr/sbin/groupmod	usr_sbin_groupmod	×	√	×	√	√	√
/usr/sbin/grpck	usr_sbin_grpck	×	√	×	√	√	√
/usr/sbin/ifconfig	usr_sbin_ifconfig	×	√	×	√	√	√
/usr/sbin/ifdown	usr_sbin_ifdown	×	√	×	√	√	√
/usr/sbin/ifup	usr_sbin_ifup	×	√	×	√	√	√
/usr/sbin/init	usr_sbin_init	×	√	×	√	√	√
/usr/sbin/insmod	usr_sbin_insmod	×	√	×	√	√	√
/usr/sbin/ip	usr_sbin_ip	×	√	×	√	√	√
/usr/sbin/lsmod	usr_sbin_lsmod	×	√	×	√	√	√
/usr/sbin/lsof	usr_sbin_lsof	×	√	×	√	√	√
/usr/sbin/modinfo	usr_sbin_modinfo	×	√	×	√	√	√
/usr/sbin/modprobe	usr_sbin_modprobe	×	√	×	√	√	√
/usr/sbin/nologin	usr_sbin_nologin	×	√	×	√	√	√
/usr/sbin/pwck	usr_sbin_pwck	×	√	×	√	√	√
/usr/sbin/rmmod	usr_sbin_rmmod	×	√	×	√	√	√
/usr/sbin/route	usr_sbin_route	×	√	×	√	√	√
/usr/sbin/rsyslogd	usr_sbin_rsyslogd	×	√	×	√	√	√
/usr/sbin/runlevel	usr_sbin_runlevel	×	√	×	√	√	√
/usr/sbin/sestatus	usr_sbin_sestatus	×	√	×	√	√	√
/usr/sbin/sshd	usr_sbin_sshd	×	√	×	√	√	√
/usr/sbin/sulogin	usr_sbin_sulogin	×	√	×	√	√	√
/usr/sbin/sysctl	usr_sbin_sysctl	×	√	×	√	√	√
/usr/sbin/useradd	usr_sbin_useradd	×	√	×	√	√	√
/usr/sbin/userdel	usr_sbin_userdel	×	√	×	√	√	√
/usr/sbin/usermod	usr_sbin_usermod	×	√	×	√	√	√
/usr/sbin/vipw	usr_sbin_vipw	×	√	×	√	√	√
/usr/bin/awk	usr_bin_awk	×	√	×	√	√	√
/usr/bin/basename	usr_bin_basename	×	√	×	√	√	√
/usr/bin/bash	usr_bin_bash	×	√	×	√	√	√
/usr/bin/cat	usr_bin_cat	×	√	×	√	√	√
/usr/bin/chattr	usr_bin_chattr	×	√	×	√	√	√
/usr/bin/chmod	usr_bin_chmod	×	√	×	√	√	√
/usr/bin/chown	usr_bin_chown	×	√	×	√	√	√
/usr/bin/cp	usr_bin_cp	×	√	×	√	√	√
/usr/bin/curl	usr_bin_curl	×	√	×	√	√	√
/usr/bin/cut	usr_bin_cut	×	√	×	√	√	√
/usr/bin/date	usr_bin_date	×	√	×	√	√	√
/usr/bin/df	usr_bin_df	×	√	×	√	√	√
/usr/bin/diff	usr_bin_diff	×	√	×	√	√	√
/usr/bin/dirname	usr_bin_dirname	×	√	×	√	√	√
/usr/bin/dmesg	usr_bin_dmesg	×	√	×	√	√	√
/usr/bin/du	usr_bin_du	×	√	×	√	√	√
/usr/bin/echo	usr_bin_echo	×	√	×	√	√	√
/usr/bin/ed	usr_bin_ed	×	√	×	√	√	√
/usr/bin/egrep	usr_bin_egrep	×	√	×	√	√	√
/usr/bin/env	usr_bin_env	×	√	×	√	√	√
/usr/bin/fgrep	usr_bin_fgrep	×	√	×	√	√	√
/usr/bin/file	usr_bin_file	×	√	×	√	√	√
/usr/bin/find	usr_bin_find	×	√	×	√	√	√
/usr/bin/grep	usr_bin_grep	×	√	×	√	√	√
/usr/bin/groups	usr_bin_groups	×	√	×	√	√	√
/usr/bin/head	usr_bin_head	×	√	×	√	√	√
/usr/bin/id	usr_bin_id	×	√	×	√	√	√
/usr/bin/ipcs	usr_bin_ipcs	×	√	×	√	√	√
/usr/bin/kill	usr_bin_kill	×	√	×	√	√	√
/usr/bin/killall	usr_bin_killall	×	√	×	√	√	√
/usr/bin/last	usr_bin_last	×	√	×	√	√	√
/usr/bin/lastlog	usr_bin_lastlog	×	√	×	√	√	√
/usr/bin/ldd	usr_bin_ldd	×	√	×	√	√	√
/usr/bin/less	usr_bin_less	×	√	×	√	√	√
/usr/bin/logger	usr_bin_logger	×	√	×	√	√	√
/usr/bin/login	usr_bin_login	×	√	×	√	√	√
/usr/bin/ls	usr_bin_ls	×	√	×	√	√	√
/usr/bin/lsattr	usr_bin_lsattr	×	√	×	√	√	√
/usr/bin/mail	usr_bin_mail	×	√	×	√	√	√
/usr/bin/md5sum	usr_bin_md5sum	×	√	×	√	√	√
/usr/bin/mktemp	usr_bin_mktemp	×	√	×	√	√	√
/usr/bin/more	usr_bin_more	×	√	×	√	√	√
/usr/bin/mount	usr_bin_mount	×	√	×	√	√	√
/usr/bin/mv	usr_bin_mv	×	√	×	√	√	√
/usr/bin/netstat	usr_bin_netstat	×	√	×	√	√	√
/usr/bin/newgrp	usr_bin_newgrp	×	√	×	√	√	√
/usr/bin/passwd	usr_bin_passwd	×	√	×	√	√	√
/usr/bin/perl	usr_bin_perl	×	√	×	√	√	√
/usr/bin/pgrep	usr_bin_pgrep	×	√	×	√	√	√
/usr/bin/ping	usr_bin_ping	×	√	×	√	√	√
/usr/bin/pkill	usr_bin_pkill	×	√	×	√	√	√
/usr/bin/ps	usr_bin_ps	×	√	×	√	√	√
/usr/bin/pstree	usr_bin_pstree	×	√	×	√	√	√
/usr/bin/pwd	usr_bin_pwd	×	√	×	√	√	√
/usr/bin/readlink	usr_bin_readlink	×	√	×	√	√	√
/usr/bin/rpm	usr_bin_rpm	×	√	×	√	√	√
/usr/bin/runcon	usr_bin_runcon	×	√	×	√	√	√
/usr/bin/sed	usr_bin_sed	×	√	×	√	√	√
/usr/bin/sh	usr_bin_sh	×	√	×	√	√	√
/usr/bin/sha1sum	usr_bin_sha1sum	×	√	×	√	√	√
/usr/bin/sha224sum	usr_bin_sha224sum	×	√	×	√	√	√
/usr/bin/sha256sum	usr_bin_sha256sum	×	√	×	√	√	√
/usr/bin/sha384sum	usr_bin_sha384sum	×	√	×	√	√	√
/usr/bin/sha512sum	usr_bin_sha512sum	×	√	×	√	√	√
/usr/bin/size	usr_bin_size	×	√	×	√	√	√
/usr/bin/sort	usr_bin_sort	×	√	×	√	√	√
/usr/bin/ssh	usr_bin_ssh	×	√	×	√	√	√
/usr/bin/stat	usr_bin_stat	×	√	×	√	√	√
/usr/bin/strace	usr_bin_strace	×	√	×	√	√	√
/usr/bin/strings	usr_bin_strings	×	√	×	√	√	√
/usr/bin/su	usr_bin_su	×	√	×	√	√	√
/usr/bin/sudo	usr_bin_sudo	×	√	×	√	√	√
/usr/bin/tail	usr_bin_tail	×	√	×	√	√	√
/usr/bin/test	usr_bin_test	×	√	×	√	√	√
/usr/bin/top	usr_bin_top	×	√	×	√	√	√
/usr/bin/touch	usr_bin_touch	×	√	×	√	√	√
/usr/bin/tr	usr_bin_tr	×	√	×	√	√	√
/usr/bin/uname	usr_bin_uname	×	√	×	√	√	√
/usr/bin/uniq	usr_bin_uniq	×	√	×	√	√	√
/usr/bin/users	usr_bin_users	×	√	×	√	√	√
/usr/bin/vmstat	usr_bin_vmstat	×	√	×	√	√	√
/usr/bin/w	usr_bin_w	×	√	×	√	√	√
/usr/bin/watch	usr_bin_watch	×	√	×	√	√	√
/usr/bin/wc	usr_bin_wc	×	√	×	√	√	√
/usr/bin/wget	usr_bin_wget	×	√	×	√	√	√
/usr/bin/whatis	usr_bin_whatis	×	√	×	√	√	√
/usr/bin/whereis	usr_bin_whereis	×	√	×	√	√	√
/usr/bin/which	usr_bin_which	×	√	×	√	√	√
/usr/bin/who	usr_bin_who	×	√	×	√	√	√
/usr/bin/whoami	usr_bin_whoami	×	√	×	√	√	√
/usr/bin/numfmt	usr_bin_numfmt	×	√	×	√	√	√
/usr/bin/kmod	usr_bin_kmod	×	√	×	√	√	√
/usr/bin/systemctl	usr_bin_systemctl	×	√	×	√	√	√
/usr/bin/gawk	usr_bin_gawk	×	√	×	√	√	√
/usr/bin/mailx	usr_bin_mailx	×	√	×	√	√	√
/usr/lib/systemd/systemd	usr_lib_systemd_systemd	×	√	×	√	√	√
/usr/bin/nmcli	usr_bin_nmcli	×	√	×	√	√	√
/usr/bin/scp	usr_bin_scp	×	√	×	√	√	√
/usr/bin/tar	usr_bin_tar	×	√	×	√	√	√
/usr/bin/chfn	usr_bin_chfn	×	√	×	√	√	√
/usr/bin/chsh	usr_bin_chsh	×	√	×	√	√	√
/usr/bin/crontab	usr_bin_crontab	×	√	×	√	√	√
/usr/sbin/pidof	usr_sbin_pidof	×	√	×	√	√	√
/usr/bin/slogin	usr_bin_slogin	×	√	×	√	√	√
/usr/sbin/sendmail	usr_sbin_sendmail	×	√	×	√	√	√
/usr/sbin/tcpdump	usr_sbin_tcpdump	×	√	×	√	√	√
/sbin/adduser	sbin_adduser	×	√	×	√	√	√
/sbin/chkconfig	sbin_chkconfig	×	√	×	√	√	√
/sbin/chroot	sbin_chroot	×	√	×	√	√	√
/sbin/depmod	sbin_depmod	×	√	×	√	√	√
/sbin/fsck	sbin_fsck	×	√	×	√	√	√
/sbin/fuser	sbin_fuser	×	√	×	√	√	√
/sbin/groupadd	sbin_groupadd	×	√	×	√	√	√
/sbin/groupdel	sbin_groupdel	×	√	×	√	√	√
/sbin/groupmod	sbin_groupmod	×	√	×	√	√	√
/sbin/grpck	sbin_grpck	×	√	×	√	√	√
/sbin/ifconfig	sbin_ifconfig	×	√	×	√	√	√
/sbin/ifdown	sbin_ifdown	×	√	×	√	√	√
/sbin/ifup	sbin_ifup	×	√	×	√	√	√
/sbin/init	sbin_init	×	√	×	√	√	√
/sbin/insmod	sbin_insmod	×	√	×	√	√	√
/sbin/ip	sbin_ip	×	√	×	√	√	√
/sbin/lsmod	sbin_lsmod	×	√	×	√	√	√
/sbin/lsof	sbin_lsof	×	√	×	√	√	√
/sbin/modinfo	sbin_modinfo	×	√	×	√	√	√
/sbin/modprobe	sbin_modprobe	×	√	×	√	√	√
/sbin/nologin	sbin_nologin	×	√	×	√	√	√
/sbin/pwck	sbin_pwck	×	√	×	√	√	√
/sbin/rmmod	sbin_rmmod	×	√	×	√	√	√
/sbin/route	sbin_route	×	√	×	√	√	√
/sbin/rsyslogd	sbin_rsyslogd	×	√	×	√	√	√
/sbin/runlevel	sbin_runlevel	×	√	×	√	√	√
/sbin/sestatus	sbin_sestatus	×	√	×	√	√	√
/sbin/sshd	sbin_sshd	×	√	×	√	√	√
/sbin/sulogin	sbin_sulogin	×	√	×	√	√	√
/sbin/sysctl	sbin_sysctl	×	√	×	√	√	√
/sbin/useradd	sbin_useradd	×	√	×	√	√	√
/sbin/userdel	sbin_userdel	×	√	×	√	√	√
/sbin/usermod	sbin_usermod	×	√	×	√	√	√
/sbin/vipw	sbin_vipw	×	√	×	√	√	√
/sbin/pidof	sbin_pidof	×	√	×	√	√	√
/sbin/sendmail	sbin_sendmail	×	√	×	√	√	√
/sbin/tcpdump	sbin_tcpdump	×	√	×	√	√	√
/usr/bin/vdir	usr_bin_vdir	×	√	×	√	√	√
/usr/bin/write	usr_bin_write	×	√	×	√	√	√
/bin/awk	bin_awk	×	√	×	√	√	√
/bin/basename	bin_basename	×	√	×	√	√	√
/bin/bash	bin_bash	×	√	×	√	√	√
/bin/cat	bin_cat	×	√	×	√	√	√
/bin/chattr	bin_chattr	×	√	×	√	√	√
/bin/chmod	bin_chmod	×	√	×	√	√	√
/bin/chown	bin_chown	×	√	×	√	√	√
/bin/cp	bin_cp	×	√	×	√	√	√
/bin/curl	bin_curl	×	√	×	√	√	√
/bin/cut	bin_cut	×	√	×	√	√	√
/bin/date	bin_date	×	√	×	√	√	√
/bin/df	bin_df	×	√	×	√	√	√
/bin/diff	bin_diff	×	√	×	√	√	√
/bin/dirname	bin_dirname	×	√	×	√	√	√
/bin/dmesg	bin_dmesg	×	√	×	√	√	√
/bin/du	bin_du	×	√	×	√	√	√
/bin/echo	bin_echo	×	√	×	√	√	√
/bin/ed	bin_ed	×	√	×	√	√	√
/bin/egrep	bin_egrep	×	√	×	√	√	√
/bin/env	bin_env	×	√	×	√	√	√
/bin/fgrep	bin_fgrep	×	√	×	√	√	√
/bin/file	bin_file	×	√	×	√	√	√
/bin/find	bin_find	×	√	×	√	√	√
/bin/grep	bin_grep	×	√	×	√	√	√
/bin/groups	bin_groups	×	√	×	√	√	√
/bin/head	bin_head	×	√	×	√	√	√
/bin/id	bin_id	×	√	×	√	√	√
/bin/ipcs	bin_ipcs	×	√	×	√	√	√
/bin/kill	bin_kill	×	√	×	√	√	√
/bin/killall	bin_killall	×	√	×	√	√	√
/bin/last	bin_last	×	√	×	√	√	√
/bin/lastlog	bin_lastlog	×	√	×	√	√	√
/bin/ldd	bin_ldd	×	√	×	√	√	√
/bin/less	bin_less	×	√	×	√	√	√
/bin/logger	bin_logger	×	√	×	√	√	√
/bin/login	bin_login	×	√	×	√	√	√
/bin/ls	bin_ls	×	√	×	√	√	√
/bin/lsattr	bin_lsattr	×	√	×	√	√	√
/bin/mail	bin_mail	×	√	×	√	√	√
/bin/md5sum	bin_md5sum	×	√	×	√	√	√
/bin/mktemp	bin_mktemp	×	√	×	√	√	√
/bin/more	bin_more	×	√	×	√	√	√
/bin/mount	bin_mount	×	√	×	√	√	√
/bin/mv	bin_mv	×	√	×	√	√	√
/bin/netstat	bin_netstat	×	√	×	√	√	√
/bin/newgrp	bin_newgrp	×	√	×	√	√	√
/bin/passwd	bin_passwd	×	√	×	√	√	√
/bin/perl	bin_perl	×	√	×	√	√	√
/bin/pgrep	bin_pgrep	×	√	×	√	√	√
/bin/ping	bin_ping	×	√	×	√	√	√
/bin/pkill	bin_pkill	×	√	×	√	√	√
/bin/ps	bin_ps	×	√	×	√	√	√
/bin/pstree	bin_pstree	×	√	×	√	√	√
/bin/pwd	bin_pwd	×	√	×	√	√	√
/bin/readlink	bin_readlink	×	√	×	√	√	√
/bin/rpm	bin_rpm	×	√	×	√	√	√
/bin/runcon	bin_runcon	×	√	×	√	√	√
/bin/sed	bin_sed	×	√	×	√	√	√
/bin/sh	bin_sh	×	√	×	√	√	√
/bin/sha1sum	bin_sha1sum	×	√	×	√	√	√
/bin/sha224sum	bin_sha224sum	×	√	×	√	√	√
/bin/sha256sum	bin_sha256sum	×	√	×	√	√	√
/bin/sha384sum	bin_sha384sum	×	√	×	√	√	√
/bin/sha512sum	bin_sha512sum	×	√	×	√	√	√
/bin/size	bin_size	×	√	×	√	√	√
/bin/sort	bin_sort	×	√	×	√	√	√
/bin/ssh	bin_ssh	×	√	×	√	√	√
/bin/stat	bin_stat	×	√	×	√	√	√
/bin/strace	bin_strace	×	√	×	√	√	√
/bin/strings	bin_strings	×	√	×	√	√	√
/bin/su	bin_su	×	√	×	√	√	√
/bin/sudo	bin_sudo	×	√	×	√	√	√
/bin/tail	bin_tail	×	√	×	√	√	√
/bin/test	bin_test	×	√	×	√	√	√
/bin/top	bin_top	×	√	×	√	√	√
/bin/touch	bin_touch	×	√	×	√	√	√
/bin/tr	bin_tr	×	√	×	√	√	√
/bin/uname	bin_uname	×	√	×	√	√	√
/bin/uniq	bin_uniq	×	√	×	√	√	√
/bin/users	bin_users	×	√	×	√	√	√
/bin/vmstat	bin_vmstat	×	√	×	√	√	√
/bin/w	bin_w	×	√	×	√	√	√
/bin/watch	bin_watch	×	√	×	√	√	√
/bin/wc	bin_wc	×	√	×	√	√	√
/bin/wget	bin_wget	×	√	×	√	√	√
/bin/whatis	bin_whatis	×	√	×	√	√	√
/bin/whereis	bin_whereis	×	√	×	√	√	√
/bin/which	bin_which	×	√	×	√	√	√
/bin/who	bin_who	×	√	×	√	√	√
/bin/whoami	bin_whoami	×	√	×	√	√	√
/bin/numfmt	bin_numfmt	×	√	×	√	√	√
/bin/kmod	bin_kmod	×	√	×	√	√	√
/bin/systemctl	bin_systemctl	×	√	×	√	√	√
/bin/gawk	bin_gawk	×	√	×	√	√	√
/bin/mailx	bin_mailx	×	√	×	√	√	√
/bin/nmcli	bin_nmcli	×	√	×	√	√	√
/bin/scp	bin_scp	×	√	×	√	√	√
/bin/tar	bin_tar	×	√	×	√	√	√
/bin/chfn	bin_chfn	×	√	×	√	√	√
/bin/chsh	bin_chsh	×	√	×	√	√	√
/bin/crontab	bin_crontab	×	√	×	√	√	√
/bin/slogin	bin_slogin	×	√	×	√	√	√
/bin/vdir	bin_vdir	×	√	×	√	√	√
/bin/write	bin_write	×	√	×	√	√	√

表3 Linux关键文件目录变更检测默认监控路径（护网/重保模式）
文件或目录路径	别名	监控类型
文件或目录路径	别名	监控子目录	监控创建	监控修改属性	监控删除	监控移动	监控修改
/etc/init.d	startup	√	√	√	√	√	√
/etc/rc.d/init.d	rc-startup	√	√	√	√	√	√
/etc/rc.d/rc.local	rx-local	×	√	√	√	√	√
/etc/systemd/system	system	√	√	√	√	√	√
/etc/systemd/user	user	√	√	√	√	√	√
/etc/crontab	crontab	×	√	√	√	√	√
/var/spool/cron	spool-cron	×	√	√	√	√	√
/etc/cron.daily	cron-daily	√	√	√	√	√	√
/etc/cron.hourly	cron-hourly	√	√	√	√	√	√
/etc/cron.monthly	cron.monthly	√	√	√	√	√	√
/etc/cron.weekly	cron.weekly	√	√	√	√	√	√
/etc/cron.allow	cron.allow	×	√	√	√	√	√
/etc/passwd	passwd	×	√	√	√	√	√
/etc/profile.d/zzz_euleros_history.sh	zzz_euleros_history.sh	×	√	√	√	√	√
/etc/profile	profile	×	√	√	√	√	√
/root/.bashrc	bashrc	×	√	√	√	√	√
/root/.bash_profile	bash_profile	×	√	√	√	√	√
/root/.cshrc	cshrc	×	√	√	√	√	√
/etc/ld.so.preload	so.preload	×	√	√	√	√	√
/etc/profile.d/sec_euleros_history.sh	sec_euleros_history_sh	×	√	√	√	√	√
/etc/shells	shells	×	√	√	√	√	√
/usr/bin	bin	×	√	√	√	√	√
/bin	bin	×	√	√	√	√	√
/usr/sbin	sbin	×	√	√	√	√	√
/sbin	sbin	×	√	√	√	√	√
/usr/lib	lib	×	√	√	√	√	√
/lib	lib	×	√	√	√	√	√
/usr/lib64	lib64	×	√	√	√	√	√
/lib64	lib64	×	√	√	√	√	√

Windows文件完整性监控对关键文件目录变更进行检测，监控系统文件或目录，对创建、修改、删除、移动文件或目录的操作进行记录，提醒用户文件或目录可能被篡改。默认监控路径请参见表4。

如果您需要自定义添加或删除监控的文件、目录路径，可以修改“文件保护”策略，详细操作请参考配置策略。

表4 Windows关键文件目录变更检测默认监控路径
文件或目录路径	别名	监控类型
文件或目录路径	别名	监控子目录	文件类型后缀	监控创建	监控删除	监控移动	监控修改
c:\Windows	windows	×	exe、dll、ocx、sys、cmd、com、vbs、bat	√	√	√	√
C:\Windows\System32	system32	×	exe、dll、ocx、sys、cmd、com、vbs、bat	√	√	√	√
C:\Windows\SysWOW64	SysWOW64	×	exe、dll、ocx、sys、cmd、com、vbs、bat	√	√	√	√
C:\Windows\System32\drivers	drivers	×	sys	√	√	√	√
C:\Windows\System32\drivers\etc	etc	×	无	√	√	√	√

约束与限制

文件完整性管理功能仅企业主机安全专业版、企业版、旗舰版、网页防篡改版、容器版支持。购买和升级企业主机安全的操作，请参见购买主机安全防护配额和升级防护配额。

意见反馈

文档内容是否对您有帮助？

有帮助没帮助

提供反馈

提交成功！非常感谢您的反馈，我们会继续努力做到更好！您可在我的云声建议查看反馈及问题处理状态。

系统繁忙，请稍后重试

如您有其它疑问，您也可以通过华为云社区问答频道来与我们联系探讨

云宝助手提问云社区提问