Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term System Integrity Check

Training Camp • Cybersecurity Glossary

What is System Integrity Check?

A verification that files, configs, and software are unaltered, typically by comparing cryptographic hashes to known-good baselines to detect tampering.

Glossary > Security Operations > System Integrity Check

Understanding System Integrity Check

A system integrity check is a security process that verifies a system's files, configurations, and software have not been altered, corrupted, or tampered with since a trusted baseline. It detects unauthorized changes, such as those caused by malware, intrusions, or misconfiguration, by comparing current values against known-good reference values, usually cryptographic hashes.

Mechanically, the process computes hash values (using algorithms like SHA-256) for critical files and stores them as a trusted baseline. On each subsequent check, it recomputes the hashes and compares them; any mismatch indicates the file changed. File integrity monitoring (FIM) tools such as Tripwire or AIDE automate this, alerting on additions, deletions, or modifications. Related mechanisms include Secure Boot and measured boot, which verify firmware and bootloader integrity using signatures and TPM-recorded measurements, and code signing, which validates that software comes from a trusted source and is unmodified.

This matters because attackers who gain access often modify system files to install backdoors, rootkits, or persistence mechanisms, and may try to hide their tracks. Integrity checking exposes these changes that signature-based antivirus might miss, supports incident detection and forensic investigation, and demonstrates compliance with frameworks like PCI DSS, which explicitly requires file integrity monitoring on critical systems. Without it, silent tampering can go undetected for long periods.

For example, a hardened web server runs a file integrity monitor that baselines hashes of system binaries and web application files. An attacker exploits a vulnerability and replaces a legitimate executable with a trojaned version that opens a reverse shell. During the next scheduled scan, the recomputed SHA-256 hash of that binary no longer matches the stored baseline, and the FIM tool immediately alerts the security team. They isolate the host, confirm the compromise from the changed-file report, and begin remediation, catching an intrusion that left no other obvious trace.

Learn More About System Integrity Check:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →