Overview of File Integrity Monitoring

File Integrity Monitor (FIM)

App Infrastructure Protection (AIP) offers File Integrity Monitoring (FIM) as part of the Host Intrusion Detection feature. This enables a continuous security monitoring solution and helps you achieve:

  • Integrated near real-time monitoring of any changes to critical files or directories on all business critical systems with a very low footprint.
  • Notifications and alerts for any file modifications events and access events (such as opened, copy, move, create, viewed and modified).
  • Rich, context-based audit trail with system state context for reducing false positives while maintaining complex compliance requirements.
  • Alerting rules for differentiated alerting and notification mechanisms based on the severity of the event, asset value and the context of the event.
Base Rule Set Review

AIP provides a library of predefined file monitoring rules within the Base Rule Set for the most common use cases. The Base Rule Set includes:

  • Files: Configuration File Changes - This rule monitors changes to your system’s configuration files, specifically the /etc/ directory.
  • Files: System File Changes - This rule monitors changes to your system-specific files. By default, it monitors changes in the following directories:
    • /usr/sbin/
    • /bin/
    • /sbin/
    • /lib/
  • Files: Secret File Opens - This rule monitors changes to directories identified as being important. AIP sets this rule to monitor the “/home/ubuntu/.aws/” directory by default. You can add any important directories to this rule to enable monitoring. To learn how to add a new directory to the “Files: Secret File Opens” rule, please see the ‘Useful Workflows and Processes’ below.

Important

The “Files: Configuration File Changes” and the “Files: System File Changes” rules monitor 'Modify' events. The "Files: Secret File Opens" rule monitors 'Open' events.

Useful Workflows and Processes

You can modify AIP-provided rulesets or create additional rulesets that are specific to their respective environments. The rules can monitor multiple files, directories or sometimes only monitor a critical file like an application configuration (.conf) file.

Workflows and topics that you might find useful include:

These workflows are not unique to FIM. You can apply the logic and workflow on the Rules page.

Add a New Directory to Monitor

To add new directories to the “Files: Secret File Opens” rule within AIP:

  1. In the left navigation pane, click Rules. The Rules page opens.


    rulestab.png

  2. Select the Base Rule Set.


    Base_ruleset_selected.png

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select the Files: Secret File Opens rule from the list.


    Additional_rule_selected.png

  5. Click the File Paths link.


    File_paths_link.png

  6. In the right view pane, the File Paths to Monitor screen is displayed.


    Add_another_path.png

  7. Click the Add Another Path button.
  8. Enter a new path name in the Enter a path field.


    Enter_file_integrity_path.png

    Note

    You can enable recursive monitoring for a specific file path by selecting the Recursive? check box. It will allow AIP to monitor changes in that directory and all of its subdirectories.

  9. Save the new path by clicking the Update Rule Paths button.


    Update_rule_paths_button.png

  10. The file paths count shown in parenthesis will be updated to reflect your changes.


    File_paths_updated.png

FIM Rule Exclusions

As of Linux Agent 2.3.4, FIM exclusion behavior enables you to exclude directories from FIM events. Linux and Windows Agents can now exclude both files and directories from FIM events. You can set FIM rules to watch a directory’s contents (including subdirectories and files) but choose to exclude a specific path and its children. For example, you can set a FIM rule to watch /etc but exclude /etc/chef and all its children.

Note

In the Exclusions list field, you can enter any string or pattern that matches standard Linux wildcards.

Directory Exclusions Using Absolute Paths

The Linux Agent supports directory exclusions using absolute paths. For example:

  • /etc/chef/*
  • /etc/chef
  • /etc/chef/

You can include glob stars (* or **) in different parts of an absolute path. For example:

  • /foo/*/bar excludes /foo/a/bar, /foo/b/bar
  • /*/foo/bar excludes /a/foo/bar, /b/foo/bar
  • /foo/bar* excludes any events within /foo/bar1/, /foo/bar2/, /foo/barfile

To exclude directories and all their children, use absolute path-based globs from within recursive rules, such as /etc/chef/* within /etc

You can also include absolute path exclusions with one or more single-star (*) glob patterns so that absolute paths can match files or directories. For example:

  • /etc/chef/*

  • /etc/*chef/*

  • /*etc/*chef/*

Was this article helpful?
0 out of 0 found this helpful