File Integrity Monitoring (FIM) Overview
File Integrity Monitoring (FIM)
F5 Distributed Cloud App Infrastructure Protection (AIP) offers FIM as part of the Host Intrusion Detection feature. This enables a continuous security monitoring solution and helps you achieve:
- Integrated near real-time monitoring of any changes to critical files or directories on all business critical systems with a very low footprint.
- Notifications and alerts for any file modifications events and access events (such as opened, copy, move, create, viewed and modified).
- Rich, context-based audit trail with system state context for reducing false positives while maintaining complex compliance requirements.
- Alerting rules for differentiated alerting and notification mechanisms based on the severity of the event, asset value and the context of the event.
Distributed Cloud AIP provides a library of predefined file monitoring rules within the Base Ruleset for the most common use cases. The File Integrity rules in the Base Ruleset include:
- File: System Configuration File Changes — Monitors changes to your system’s configuration files, specifically the
/etc/directory. - File: System File Changes — Monitors changes to your system-specific files. By default, this rule monitors changes in the following directories:
- /usr/sbin/
- /bin/
- /sbin/
- /lib/
- File: AWS Secret File Opens — Monitors AWS secret files, which may contain customer data, access keys, or confidential configuration data. Distributed Cloud AIP sets this rule to monitor the
/home/ubuntu/.aws/directory by default. You can add any important directories to this rule to enable monitoring.
Important
The File: System Configuration File Changes and File: System File Changes rules monitor CREATE and MODIFY events. The File: AWS Secret File Opens rule monitors OPEN events.
You can modify Distributed Cloud AIP-provided rulesets or create additional rulesets that are specific to their respective environments. The rules can monitor multiple files, directories or sometimes only monitor a critical file like an application configuration (.conf) file.
Workflows and topics that you might find useful include:
- Add a new directory to the “File: Secret File Opens” rule
- Change a tag on a ruleset
- Configure an event query, alert rules, and suppression filters
- Create a FIM rule and add a user specific suppression
These workflows are not unique to FIM. You can apply the logic and workflow on the Rules page.
Add a New Directory to Monitor
To add new directories to the “Files: Secret File Opens” rule within Distributed Cloud AIP:
- In the left navigation pane, click Rules. The Rules page opens.
- Select the Base Rule Set.
- Click the Show More link to display additional rules.
- Select the Files: Secret File Opens rule from the list.
- Click the File Paths link.
- In the right view pane, the File Paths to Monitor screen is displayed.
- Click the Add Another Path button.
- Enter a new path name in the Enter a path field.
Note
You can enable recursive monitoring for a specific file path by selecting the Recursive? check box. It will allow Distributed Cloud AIP to monitor changes in that directory and all of its subdirectories.
- Save the new path by clicking the Update Rule Paths button.
- The file paths count shown in parenthesis will be updated to reflect your changes.
The Linux and Windows Agents allow you to set FIM rules to exclude specific files and/or directories so that the Agent does not monitor, or watch, them. FIM exclusions are useful to prevent the Agent from reporting information about files that are noisy but irrelevant to security, such as log files. Monitoring busy files can cause Agent resource issues.
Exclude Files from FIM Events
You can set a FIM rule to exclude files that you do not want the Agent to monitor.
Note
In the Exclusions list field, you can enter any string or pattern that matches standard Linux wildcards.
Examples:
*.log(where*can represent any number of characters, except for/)- Excludes any files ending in
.log, such as install.log and tsagentd.log.
- Excludes any files ending in
noisy-*.cfg(where*can represent any number of characters, except for/)- Excludes any files beginning with
noisy-and ending with.cfg, such as noisy-tsagentd.cfg and noisy-tsaudit.cfg.
- Excludes any files beginning with
Exclude Directories from FIM Events
As of Linux Agent 2.3.4, FIM exclusion behavior enables you to set FIM rules to monitor a directory’s contents (including subdirectories and files) but exclude a specific path and its descendant files. For example, you can set a FIM rule to watch /etc but exclude /etc/chef and all its descendant files.
Note
In the Exclusions list field, you can enter any string or pattern that matches standard Linux wildcards.
Exclude Directories Using Absolute Paths
The Linux Agent supports directory exclusions using absolute paths, such as /etc/chef/*and /etc/chef/.
You can include glob stars (* or **) in different parts of an absolute path.
Use * to match any number of characters, excepting /. Examples:
/foo/*/barexcludes/foo/a/barand/foo/b/bar/*/foo/barexcludes/a/foo/barand/b/foo/bar/foo/bar*excludes any events within/foo/bar1/,/foo/bar2/, and/foo/barfile
Use ** to match any number of characters, including /. This allows the exclusion to span multiple directories recursively.
To exclude a directory and all its descendant files from Agent monitoring, you must use two exclusion patterns, one for the directory itself and the other for its descendant files. Example:
- To exclude /etc/chef and all its descendant files, use both of the following exclusion patterns:
/etc/chef- Excludes the directory, which reports the activity of its immediate descendant files
/etc/chef/**- Excludes the directory’s descendant files and directories