#49SECURITYPROTECTElite
Config Drift Detection
Detect unauthorized changes
Hard
Overview
Monitor system configuration and detect changes from baseline. Alert on unexpected modifications.
Why It Matters
Catch changes that bypassed your process. File integrity monitoring.
The Risk
Without drift detection, unauthorized changes go unnoticed. Attackers modify configurations to maintain persistence. Manual 'quick fixes' create snowflake servers.
Implementation Components
A complete implementation of this capability includes:
- Baseline configuration defined and stored
- File integrity monitoring (AIDE, Tripwire)
- Daily checks against baseline
- Alerts on unexpected changes
- Integration with config-as-code for authorized changes
- Incident response process for drift
Implementation Pattern
- 1Define baseline configuration
- 2Monitor critical files
- 3Hash and compare configs
- 4Alert on changes
Pipeline Coverage
This continuous capability monitors and applies to the following pipeline phases:
RELEASE
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Enhanced by (more effective with)
Same Layer
Other capabilities in this continuous layer
- •#44 Database Backups
- •#45 System/App Backups
- •#46 Restore Verification
- •#47 Restore Drills
- •#48 Host Hardening
+5 more