You can configure File Integrity Monitoring (FIM) rules in the Threat Stack Cloud Security PlatformⓇ (CSP). Testing your FIM rules allows you to verify that your system is properly configured.
Example of FIM Commands and Alerts
The Threat Stack CSP allows for the following actions to be monitored on any given file path:
The Threat Stack Agent depends on inotify to populate FIM events. Due to inotify limitations, Threat Stack cannot provide information about the user that triggers a FIM Create, Delete, or Move event. For more information, please see FAQ: Exceptions for FIM Create, Delete, and Move Events.
How do I test the FIM rules?
You can test FIM by performing the above actions (examples below) on files within monitored directories. If you need help understanding which directories Threat Stack monitors, refer to the Overview of File Integrity Monitoring article.
This is a limited list of commands to give you an idea of ways to test FIM within Threat Stack.
|Command Line||Explanation||Example event Types|
|vi [filename]||Opens the file with the vi text editor||‘access’, ‘open’, and ‘close’|
|echo [enter text] > secret file||Takes texts and add it to the end of a file||‘modify’, ‘close’, ‘write’ and ‘open’ event|
|wget||Downloads a file from the internet||‘modify’, ‘open’, ‘close’, and ‘write’ event|
|curl||Downloads a file from the internet||‘modify’, ‘open’, ‘close’, and ‘write’ event|
|scp outsidehost:/file secretfile||Copies a file from an outside host to your system||‘open’, ‘modify’, ‘close’, and ‘write’ event|
|scp secretfile outsidehost:/file||Takes a file from your system and copies it to an outside host||‘open’, ‘access’, and ‘close’ event|
Running the “vi” command to trigger an event and alert.
- Choose a file that should be monitored within Threat Stack
- Navigate to that file’s directory
- Type ‘vi [filename]’
- Result: File opens in vi
- To exit vi enter “:q”
FIM events can take up to a minute to display within the Threat Stack system.
Where can I view my results?
- Go to the Alerts tab on the left hand side.
- Select the Sev 3 tab to display Severity 3 alerts.
Result: You should see an alert for the event that you triggered.
What if I don’t see an alert for the event?
Check out the FIM Troubleshooting Guide or contact support.