Cloud Security File Monitoring Use Cases

Follow

 

File monitoring on the cloud is different from file monitoring for traditional on-premise workstations and server type environments.  To help you monitor your cloud system, Threat Stack created a base rule set based on common patterns we observed over the last few years.

This article reviews these patterns and the use cases surrounding them. To better explain these patterns we include examples, example rules, and corresponding events and alerts in the app.

File Integrity Monitoring (FIM) relates to these three Cloud use cases. These cases assume that you want to know when:

  • A directory is modified by adding new files into the directory
  • A directory is modified or any of the files in the directory gets modified
  • Any of the files in a directory get opened

Alerting on FIM is a two step process, before you can implement these use cases you should:

  1. Make a file integrity rule to capture FIM events.
  2. Create an alert rule to generate alert with the right severity and suppressions.

Use Case “Files: Configuration File Changes”  

As a user, I want to know if someone adds new files into the directory.

Use case examples:

  • New binaries and libraries get created in /lib/ , /sbin etc (PCI)
  • New files get uploaded by customers in a specific directory

In Threat Stack, the base rule set rule “Files: Configuration File Changes” monitors for these use cases using “Modify” file event.

Example: The “Files: Configuration Files Changes” rule File Paths to Monitor and Suppression sections within the base rule set.

The “Files: Configuration Files Changes” Files Paths to Monitor information:

1_config_file_paths.png 

The “Files: Configuration Files Changes”  Suppressions information:

2_config_file_suppressions.png

Use Case “Files: System File Changes”

As a user, I want to know if someone modifies the directory or modifies any existing files in the directory.

An example of this use case is “configuration files in /etc/ gets modified”

In Threat Stack, the base rule set rule “Files: System File Changes” monitors for these use cases using “Modify” file event.
The “Files: System Files Changes” Files Paths to Monitor information:

3_sys_file_paths.png

The “Files: System Files Changes”  Suppressions information:

4_sys_file_suppressions.png

 

Use Case “Files: Secret File Opens”

As a user, I want to know if someone opens the directory or modifies any existing files in the directory.

Use case examples:

  • Configuration Secret files (/etc/client.pem) get opened up commands other than chef-client
  • Infrastructure secret files (/home/ubuntu/.aws/) get opened up

In Threat Stack, the base rule set rule “Files: Secret File Opens” monitors for these use cases using “Open” file event.

The “Files: Secret Files Opens” Files Paths to Monitor information:

5_secret_files_paths.png

The “Files: Secret Files Opens”  Suppressions information:

6_secret_file_suppresions.png

 

 

 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.