File Integrity Monitoring

What is FIM

File Integrity Monitoring (FIM) is a tool that monitors files and alerts you to changes, such as file creation, changes, removals, and so on. Thanks to FIM, you are more likely to detect security breaches in a timely manner, ensuring a better chance of staying online and avoiding any major damage. For this reason, FIM is primarily considered a security solution. It is also useful for controlling file properties such as permissions, as even a simple change in a file's permissions could leave the system open to attack.

Going into the module settings, you can create a series of filters indicating folders within which to run FIM. In addition, you can include or exclude files and/or folders, indicate a time frame or time in which to run the module, etc.

Once you have given all the necessary information, pressing the start button of its filter, FIM scrolls through the entire hierarchical structure of the file systems starting from the folders indicated in the filter. For each file he encounters, save all the information in that file to an xml that we'll call "database," including its MD5. For folders, the same file information, except the MD5 and size, is saved on the same file.

When this processing is finished, the database signature is created and saved within it, using as the SHA-512 algorithm. During the next run, it will check whether the database signature is correct:

  • if it's not correct means that the contents of the database have changed;
  • if it's correct means that the contents of the database have not changed.

In the first case, we will only create a new database with information about the files and folders of the re-running FIM. In the second case, however, for each file and folder processed, each of its information will be compared with the related information saved in the database. If even only one piece of information does not match, a file will be created that we will call "alert", within which the unequal information will be saved, indicating the first (database information) and the after (information of the newly processed file).

Settings page

Clicking in the section FIM->FIM settings side menu on the left, the list of FIM modules, which are currently active, will be displayed. The following are the attributes of the table displayed:

  • Where: node name;
  • What: module name;
  • Tot. Enabled filters: number of active filters for that node.

Clicking the edit, you will access the FIM module view of that specific node.

image1

Figure 1: FIM Modules

Form page

This view shows 2 main panels:

  • Basic Parameters: contains the basic parameters of the module;
  • Filter List: contains the list of filters with the basic information for each filter.

image2

Figure 2: Form

Below are the parameters of the panel Basic Parameters:

  • Keystore name: name of the keystore that contains the digital certificate that is used to sign both alert files and database files;
  • Password Keystore: keytore password;
  • Alias name: identifier name of the certificate within the keystore;
  • Password alias: alias password;
  • Max alerts to write: maximum number of alerts, files or folders that have information other than that saved in the database, to be written to the alert file;
  • Max files to keep: maximum number of alert files and database files to keep on disk.

image3

Figure 3: Basic Parameters

Below are the parameters of the panel Filter list:

  • Filter name: filter name;
  • Description: description of the filter;
  • Root directory: folder within which to run FIM, this folder is excluded from the control if you set at least one folder in the FIM panel Directory List which must be a folder inside the root directory; - Enable: enables or disables filtering.

Clicking the see details panel Filters, New10, you will access the filter view.

image4

Figure 4: Filter list

Filter page

This view shows 3 main panels:

  • Filter, New10: contains the filter settings in detail;
  • Filter, New10 Conditions: contains generic rules for filtering folders and files;
  • Directory List: contains all the directories associated with that filter within which to run FIM. So for each filter you can have a list of folders to monitor, which can have equal filtering conditions.

image5

Figure 5: Filter Settings

Below are the parameters of the panel Filter, New10:

  • Filter name: filter name;

  • Description: description of the filter;

  • Root directory: folder within which to run FIM, this folder is excluded from the monitor if you set at least one folder in the FIM panel Directory List which must be a folder inside the root directory;

  • Starts every (minutes): indicates how much to run FIM in minutes, if this field is not empty. Starts at (server time) is not taken into account;

  • Starts at (server time): indicates the time and minutes (in hh:mm format) at which fiM runs every day. If Starts every (minutes) is not empty, this field is not taken into account. Note: The time you entered is the time of the server where FIM is installed, which may be different from the local time;

  • Depth: indicates the depth of the file and folder monitoring, if empty the default value is 2147483647;

  • Enable: enables or disables filtering.

image6

Figure 6: Filter panel

Below are the parameters of the panel Filter Conditions:

  • Operation: list that includes two options:

  • Includes: includes files/folders. If Include is used, only files/folders that meet the rule parameters will be included in the monitor, while all others will be skipped. Includes has higher priority than Exclude, New10, which means that if both are used for the same folder, Exclude, New10 ignored;

  • Exclude: excludes all files/folders. If it is used Exclude, New10, all files/folders that meet the rule parameters will be excluded from monitoring. Exclude, New10 has higher priority than Include, which means that if both are used for the same folder, Exclude, New10 ignored;

  • Type: list that includes two options:

  • file: understand only the files;

  • Directory: understand only directories.

  • Where: list that includes three options:
  • Start: name of the file or folder that begins with ...;
  • End: name of the file or folder that ends up ...;
  • Regex: regular expression.
  • Value: rule value.

Let's take an example. If we want to exclude all files that end up in .log, then the rule will be: Exclude -- File -- End - .log. If instead we want to include all files that end up in .exe, then the rule will be: Include -- File -- End - .exe. However, this means that you will exclude all files that have an extension other than .exe. If you want to add new rules, click the following button: image7 If you want to delete rules, click the following button: image8

image9

Figure 7: Filter Conditions panel

Below are the parameters of the panel Directory List:

  • Directory name: name of the directory that you want to include in the monitor;
  • Description: directory description;
  • Depth: indicates the depth of the monitoring of files and folders within this, if empty the default value is 2147483647;
  • Enable: enables or disables monitoring on this directory.

image10

Figure 8: Directory List Panel

If you want to add new directories, click the following button:

image7

If you want to delete directories, click the following button:

image8

Clicking the see details panel Directory List, you will access the directory view.

Directory page

This view shows 2 main panels:

  • Directory: takes back the same information as the panel Directory List;
  • Directory Conditions: contains generic rules for filtering folders and files. Resumes the same parameters as the panel Filter Conditions, the only difference is that the rules defined in this panel overwrite those of the filter.

image11

Figure 9: Directories settings

image12

Figure 10: Directory Conditions Panel

NB: The folders within which databases and alerts will be saved are:

  • Linux:
/TCOProject/bin/LBL/LBLLoadBalancer_aai_010_000_000/procsProfiles/C10_LBLGoFim/notificationDir
  • Windows:
C:-TCOProject-bin-LBL-LBLLoadBalancer_aai_010_000_000-procsProfiles-C10_LBLGoFim-notificationDir

Within this path, folders will be created automatically for each filter: .../<nomeFiltro/databases and .../<nomeFiltro/alerts.

Conditions

Let's look in more detail at how Conditions directories.

ConditionUser inputUser input norm.Root + DirectoryDirectoryDirectory norm.Match
REGEX(.*)/bb/var/aa/bbb/var/aa/bbb/True
STARTS/aa/bb/aa/bb/var/var/aa/bbb/aa/bbb/True
/aa/bb//aa/bb//var/var/aa/bbb/aa/bbb/False
aa/bb/aa/bb/var/var/aa/bbb/aa/bbb/True
aa/bb//aa/bb//var/var/aa/bbb/aa/bbb/False
ENDS/aa/bb/aa/bb//var/var/aaa/bb/aaa/bb/False
/aa/bb//aa/bb//var/var/aaa/bb/aaa/bb/False
aa/bbaa/bb//var/var/aaa/bb/aaa/bb/True
aa/bb/aa/bb//var/var/aaa/bb/aaa/bb/True

Operation: indicates the condition that FIM should use to filter folders;

User input: indicates the field Value;

Norm user input: indicates the field Value normalized (an operation that FIM performs during the search);

Root-Directory: indicates the concatenation of the field RootDirectory property with the field FilterDirectory, New1001 it will be used by FIM to normalize the directories it will filter;

Directory: indicates the directory that FIM found within Root-Directory;

norm directory: indicates the directory that FIM found within Root-Directory, normalized (an operation that FIM performs during the search);

Match: indicates whether theuser input normalized matches with the Directory Normalized.

When FIM searches for files, it performs a series of operations to normalize strings passed, as filter conditions, by the user.

  • To normalize the values of Starts, checks whether user input has a slash as its first character, if it doesn't have it, adds it. With regard to Directory instead, it is normalized by removing, from the path of the directory found, Root-Directory and adding a slash as the last character.

  • To normalize the values of Ends, checks whether user input has a slash as the last character, if it doesn't have it, adds it. With regard to Directory instead, it's equal to normalization of Starts.

  • To normalize the values of Regex, user input is not changed, but is normalized Directory in the same way as It starts.

NB: If the user enters the wrong operating system slash (\ or /), FIM will not correctly evaluate this condition. The user must enter the path of the directory to be excluded/included starting from Root-Directory.

Status page

Clicking in the section FIM-FIM Status of the left side menu, the list of currently active filters will be shown, within a table.

image13

Figure 11: Status Page

The following are the attributes of the table displayed:

  • Node: node name;

  • Module: module name;

  • Filter name: filter name;

  • Description: description of the filter;

  • Last Run: date and time of the last run;

  • Prog. files: number of files currently verified;

  • Tot. Files: number of total files to check;

  • Alerts: number of files with issues detected;

  • Starts at: indicates the time and minutes (in hh:mm format) in which fiM runs, every day. If Start at And Start every are not set, by default it will run at midnight each day;

  • Starts every: indicates how much to run FIM, in minutes;

  • Phase: indicates the progress phase of processing;

  • Progress: indicates the percentage of progress of the monitor execution. The progress bar can be two colors:

  • green if there are no alerts; image14

  • orange if there are alerts; image15

  • Status: shows the status of the filter, which can be:

  • Running: image16 after pressing the start button of the Actions, or automatically based on the values Starts at And Starts every;

  • During the stop: image17 after pressing the stop button of the Actions;

  • Waiting: image18 if a filter from the same node is already running.

  • Actions: set of buttons used to perform actions, which can be:

  • Edit: image19 redirects to the filter page in Figure 5: Filter Settings;

  • Start: image20 monitors;

  • Stop: image21 stops monitoring that is running. If you stop it you could not see the alerts until then created (if any), it depends on the phase of monitoring in which it is stopped;**

  • View Alert: image22 redirects to the Alerts in Figure 12: Alerts List.

  • Suspend: image23 pauses, or image20 resumes the processing of alerts. If paused, no alerts will be considered during monitoring, and therefore no new alerts (if any) are displayed.

Alerts page

After clicking the View alert, you are redirected to a page that shows the alerts (if any) of the last run.

image24

Figure 12: Alerts List

They appear as a table whose attributes are:

  • Node: node name;

  • Moduler: module name;

  • Type: indicates whether the alert shown is:

  • Mismatch file: image25 that is, if the file has some information other than the previous run;

  • Mismatch directory: image26 that is, if the directory has any information other than the previous run;

  • New/old file: image27 that is, if the file is new or has been moved or deleted;

  • New/old directory: image28 that is, if the directory is new or has been moved or deleted.

  • Path name: the path where an inconsistency was found;

  • See details: for each row of the table there is a button that, once clicked, will only show the information that has been changed since the last run. You can view 5 types of alerts:

  • Mismatch: only shows information other than the previous run;

image29

Figure 13: Modal Mismatch

  • Max alert exceed: only one alert is shown in the table when the number of alerts created exceeds the maximum limit set in the Max alerts to write.

image30

Figure 14: Max Alert Exceed Alert

If you click View details, the alert details will be shown;

image31

Figure 15: Modal Max Alert Exceed

  • New/old: shows all the information of the new or old file/directory indicating whether it is new or old.

image32

Figure 16: Modal New/Old

If you click View details, the alert details will be shown;

  • Firm failed: the alert is shown in the table when a file signature is incorrect.

image33

Figure 17: Firm failed

If you click View details, the alert details will be displayed.

image34

Figure 18: Modal firm failed

If you want to view all file or directory alerts that are contained in the parent directory of one of the paths in the list, just click on the column icon Type property, of that path. Example: Path name: A/B/C/file.txt If we click the icon for this file, the full path will be written to the table search bar, excluding file.txt, and then only the alerts of files and folders that have as Path name A/B/C.

Templates

There are templates inside the panel Filter list can be modified to suit your needs.

The available templates are: Apache, MySQL, Tomcat, Nginx, Jboss.