1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. User Guides
  3. File Integrity Monitoring

Cloud Security File Monitoring Use Cases

File monitoring on the cloud is different from file monitoring for traditional on-premise workstations and server type environments. To help you monitor your cloud system, F5 Distributed Cloud App Infrastructure Protection (AIP) created a base rule set based on common patterns we observed over the last few years.

This article reviews these patterns and the use cases surrounding them. To better explain these patterns we include examples, example rules, and corresponding events and alerts in the app.

File Integrity Monitoring (FIM) relates to these three Cloud use cases. These cases assume that you want to know when:

  • A directory is modified by adding new files into the directory
  • A directory is modified or any of the files in the directory gets modified
  • Any of the files in a directory get opened

Alerting on FIM is a two step process. Before you can implement these use cases you should:

  1. Make a file integrity rule to capture FIM events.
  2. Create an alert rule to generate alert with the right severity and suppressions.

Use Case “Files: Configuration File Changes” 

As a user, I want to know if someone adds new files into the directory.

Use case examples:

  • New binaries and libraries get created in /lib/ , /sbin etc (PCI)
  • New files get uploaded by customers in a specific directory

In Distributed Cloud AIP, the base rule set rule Files: Configuration File Changes monitors for these use cases using Modify file event.

Example: The Files: Configuration Files Changes rule File Paths to Monitor and Suppression sections within the base rule set.

The Files: Configuration Files Changes Files Paths to Monitor information:

1_config_file_paths.png 

The Files: Configuration Files Changes Suppressions information:

2_config_file_suppressions.png

Use Case “Files: System File Changes”

As a user, I want to know if someone modifies the directory or modifies any existing files in the directory.

An example of this use case is configuration files in /etc/ gets modified

In Distributed Cloud AIP, the base rule set rule Files: System File Change” monitors for these use cases using Modify file event.
The Files: System Files Changes Files Paths to Monitor information:

3_sys_file_paths.png

The Files: System Files Changes Suppressions information:

4_sys_file_suppressions.png

 

Use Case “Files: Secret File Opens”

As a user, I want to know if someone opens the directory or modifies any existing files in the directory.

Use case examples:

  • Configuration Secret files (/etc/client.pem) get opened up commands other than chef-client
  • Infrastructure secret files (/home/ubuntu/.aws/) get opened up

In Distributed Cloud AIP, the base rule set rule Files: Secret File Opens monitors for these use cases using Open file event.

The Files: Secret Files Opens Files Paths to Monitor information:

5_secret_files_paths.png

The Files: Secret Files Opens Suppressions information:

6_secret_file_suppresions.png

Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles