In this 5 minute video I will show you how to set up file integrity monitoring in your Halo portal including how to create a policy, set a baseline server, apply your policy to a group of servers, and configure alerts. I will also show you what happens when changes occur in a file you’re monitoring.
File integrity monitoring (or “FIM”) permits you to identify when changes are made to your files. If you are concerned that a critical file may be inadvertently changed, or that an attacker may mess with certain files on your system, file integrity monitoring can help you spot these changes. Halo generates a cryptographic hash of each file, and then stores that hash on our grid. Later checks verify that the file continues to generate the same hash value. Hash checking can detect even the smallest of changes. For example, changing the capitalization of a single character or adding/deleting a space will dramatically change a file’s cryptographic hash. So let’s get started on setting up file integrity monitoring.
On your dashboard, you may notice a new icon labeled “Integrity” – if you don’t, go to the Settings tab and click Site Administration, then the Beta Features tab. Checking this box will enable Beta features in your portal. If you enable beta features, you can test out our newest offerings for free – they’ll just appear on your portal.
You set up an effective File Integrity Monitoring process on your servers in three parts: Writing and applying a policy (which is similar to what you already do with configuration scanning), assigning alert profiles, and setting the frequency of your scans. In this example, I’ll set up monitoring on my web servers.
First, I need to write a File Integrity policy. To create a new policy, go to the policies menu, select “File Integrity Policies”, and click Add New File Integrity Policy. We provide the ability to select the directories you would like to monitor, rather than scanning everything by default, to avoid the problem of too much noise in your file integrity scans.
This file integrity policy will monitor web defacement of static html files and images, and detect replacement of cgi scripts.
For this example, I am going to create a pretty limited policy to just detect web defacement of static html files and images, and detect replacement of cgi scripts; however, you can use FIM for much more. If you’d like some tips on creating a policy, see our community site at community.cloudpassage.com.
So, I want to monitor for changes in these directories. Halo FIM policies in the current beta release have a few major differences from the file integrity monitoring you might be used to. For example, I use an asterisk in a couple of these directories. The asterisk is a wildcard symbol that selects all files within that directory level; however, FIM in the current beta release does not search down recursively.
As you can see on the right hand side, I can flag a change as critical, and I can generate an email alert for a change in a file. (We’ll talk about who gets those alerts and when in a moment)
Once you’ve entered all of the directories you’d like to monitor, and selected alert options, click “Save”. You’ll notice that you get this message, telling you that your policy isn’t active until you set a baseline. The baseline is simply the server you wish to use as your gold standard image. Halo will hash the files in all of the specified directories on the baseline server. You will then be able to check the files on other servers against this baseline. To define a baseline server, click the “Baseline” button and select the appropriate server. Note that the drop down menu will only include active servers.
Once you’ve selected a baseline server, it will take a minute or two, depending on how many files are being baselined, to process those files for your policy.
Now that you have a policy, you’ll want to apply it to a group of servers that you’d like to monitor. To do this, return to your dashboard to see your servers. I’d like to monitor my web servers, so I’ll apply it to my web servers group by clicking on the group’s name and then “Edit Details” and selecting the policy name from the FIM policies drop-down menu. Once I click save, the FIM policy is applied to all of the servers in that group, which means that all the servers in that group are being compared to that baseline server you selected. It will take about a minute for the change to be processed.
Now that you’ve got a policy set up identifying which files to monitor for changes, you’ll need to decide who should receive alerts should these files change. If you have used Halo Security Events, you should already be familiar with configuring alerts, but I’ll just go through this quickly if you’re not. Under Policies, select “Alert Profiles”, and Add New Alert Profile. Give the profile a name, add users to it and determine when and if they’ll get alerts. In this example, I will be alerted to both critical and non-critical alerts, but Chris will only be alerted to critical alerts. When I apply a profile to my group of web servers, any alerts generated by FIM or the Security Events scans will send email alerts according to these settings.
Finally, I need to see what the frequency of my FIM scans are. Go to your Settings menu and select File Integrity Monitoring. If you are a Halo Basic customer, your scans will run automatically once a day, but NetSec and Pro customers can set their FIM scans to run hourly. No matter what your plan, you can still run unlimited manual scans. Once you’ve set your scheduling, you’re good to go! File Integrity Monitoring is set up for my web servers! Now the next time my servers are scanned, the change will be noted on this report and depending on my alert profile, I’ll get an email as soon as the change is detected in the scan.
Now that the web servers are being monitored for file integrity, I am going to manually tamper with a file on one of my servers.
Ok – file named testdocument.html has been edited manually on Server1. To save time, I’m going to manually run a scan on my group so we can see what the report looks like.
You can see that the scan picked up one issue and gives me details like the server name and IP address that failed the scan, the file that changed and when the change occurred, and which FIM policy was monitoring that file. I also got an email alert as soon as scan detected the change.
When you get an alert like this, your next step may be to find out WHY the document changed. If they occurred due to an upgrade or by an authorized web master, you’ll want to recreate the gold standard baseline. You can do this by returning to your FIM policy (under policies, clicking File Integrity Policies). Click on the policy you need to re-baseline, click “Baseline” at the bottom, and select your baseline server.
Now, if the change was unknown or authorized, you may need a full forensic analysis.