File Integrity Monitoring

Four Clover employs a vigilant and proactive approach to file integrity monitoring, ensuring the security and authenticity of files and directories within a system. The tool achieves this through the following steps:

1. Hash-Based Verification:

   • Four Clover calculates hash values (digests) of files using selected cryptographic hash algorithms (e.g., sha256, md5).

   • These hash values are unique representations of the file's content. Even a minor change in the file content results in a significantly different hash value.

2. Initial Scan and Baseline Creation:

   • During the initial scan, Four Clover computes hash values for all files in the specified directories.

   • These computed hash values create a baseline or "fingerprint" for each file, representing their original and unaltered state.

3. Continuous Monitoring:

   • Four Clover regularly rescans the specified directories, recalculating hash values for all files.

   • It compares the newly computed hash values with the baseline hash values.

4. Change Detection:

   • If the computed hash value of a file differs from its baseline hash value, Four Clover detects a change.

   • This change could be due to unauthorized modifications, tampering, or any form of alteration.

5. Alerts and Reporting:

   • When a change is detected, Four Clover generates alerts or notifications to inform administrators or security personnel.

   • Detailed reports are generated, outlining the nature of the change, affected files, and relevant metadata.

6. Comparative Analysis:

   • Four Clover allows users to compare scan reports to identify changes between different timeframes.

   • This feature aids in identifying trends, patterns, and discrepancies in file changes.

Supported Hash Algorithms for File Verification:

Four Clover supports a diverse range of cryptographic hash algorithms for file verification, including but not limited to:

• blake2b-256

• blake2b-512

• sha256

• sha1

• md5

Users can choose the hash algorithm that aligns with their security requirements and performance considerations. Selecting a strong hash algorithm enhances the tool's ability to detect unauthorized changes effectively.

Comparative Analysis

Comparing two scan reports using Four Clover allows you to identify changes and modifications that have occurred between different scans. Here's how you can perform a comparative analysis and understand the comparison report:

Policy-Based Scanning

Policy-based scanning in Four Clover allows you to establish predefined sets of rules and conditions for scans, enabling automated checks for compliance and security. Here's how you can define policies, create policy files, and perform scans based on those policies:

Defining Policies:

• Policies consist of rules that define specific conditions files must adhere to.

• Define policies based on your organization's security requirements and compliance standards.

Creating Policy Files:

• Create policy files using YAML format, specifying rules and their attributes.

• Each policy file contains multiple rules that are applied during scanning.

Specifying Conditions with Rules:

• Each rule within a policy file defines conditions that files must meet.

• Simple rule type simplifies the rule definition process by focusing on simple pattern matching with predefined patterns. It's more streamlined and easier to set up, making it suitable for cases where you have a well-defined set of patterns you want to check for in your file. This type of rule is more suitable when you're looking for a quick and straightforward way to catch common issues or vulnerabilities without the need for extensive customizations.