Blog

FIM Hacks Series: Introduction

We’re excited to offer File Integrity Monitoring as a new feature in Halo.  If you haven’t used it yet, please take a look at either the full user guide or the Intro for people who’ve used FIM before.


At its most general, File Integrity Monitoring monitors specific files and alerts us if they change.  Unfortunately, that doesn’t help much when it comes time to turn specific security checks into actual uses of FIM.

To help with that, we’ve pulled together some simple recipes for security checks and will be publishing them over the next few weeks.  Each one starts with a goal, like: “Detect attempts to redirect account email”.  For each we’ll provide a list of things to monitor with FIM, such as:

/etc/aliases
/etc/mail/aliases
/root/.forward
/home/*/.forward
/etc/mail/virtusertable
/etc/postfix/virtual

When you add those to your FIM policy, you’ll get an alert whenever one of those changes, which indicate a change to mail routing.

These FIM hacks focus on common things to monitor for a generic system.  They generally don’t include all the stuff that the owner uploads:

– Custom system configurations
– Web content
– Locally provided scripts and tools
– Local user account specific files
– OS customizations

All of the above are not only fair game for FIM, but heartily encouraged!

If you have suggestions or requests, let us know.

 

Related Posts