How File Integrity Monitoring Works
File integrity monitoring is a feature of CloudPassage® Halo® that protects the integrity of system and application software on your Linux or Windows cloud servers. It regularly monitors your servers for unauthorized or malicious changes to important system binaries and configuration files. Implementing file integrity monitoring can help you to
- Detect unauthorized intrusions into any of your cloud servers.
- Comply with mandates and standards such as PCI DSS, HIPAA, SOX, CSA, and SANS.
- Detect and repair tampering with your servers' system or application code.
Halo accomplishes file integrity monitoring by first saving a baseline record of the "clean" state of your server systems. It then periodically re-scans each server instance and compares the results to that baseline. Any differences detected are logged and reported to the appropriate administrators.
The elements that make up the baseline include (1) cryptographic checksums (signatures) and standard metadata for all files being monitored, and (2) standard metadata for files without content (such as directories and symlinks).
If later scans reveal that a file's checksum or metadata has changed, a security event is generated. An administrator can inspect the metadata or the file itself on the server involved to understand the nature of the change and, if warranted, escalate the issue to an incident-response team.
Halo file integrity monitoring involves these components and actions:
- File integrity policy. A security administrator uses the Halo Portal to configure file integrity monitoring and to create a file integrity policy - essentially a list of paths to target objects (files and directories) to be monitored for changes.
- Baseline server and baseline scan. The administrator associates the policy with a baseline server—a server that represents the canonical, correctly configured, clean file structure of the cloud servers that will be scanned. Halo performs a baseline scan of this server, extracting and saving the cryptographic checksums (SHA-256 hash values) and metadata for all targeted objects on the baseline server. Halo then saves those baseline signatures and metadata for the policy.
Note: Halo allows you to define multiple baseline servers for a single policy, when the servers you need to scan are not all exactly identical.
- Server group. The administrator uses the Halo Portal to assign the policy to a server group—an administrator-defined collection of servers that are identical to the baseline server in terms of system structure and configuration, at least for the targets specified in the policy.
- Monitoring scans. At a frequency determined by the administrator, Halo automatically runs monitoring scans of all servers in the group, including servers that come online automatically through cloning or cloudbursting. The Halo agent running on each server collects metadata and computes hashes of each targeted object on the server and sends them to the Halo analytics engine, which compares them with the baseline information, and reports any differences found to the Halo Portal. Modifications, deletions, or additions of files or directories—as well as changes to metadata—are all detected.
- Security events and alerts. Halo records information on any detected changes as scan results, and also as security events. Administrators can view and act on those results and events in the Halo Portal. Administrators may also receive email alerts triggered by designated high-priority events.
// <![CDATA[ var pdfTitle="File Integrity Monitoring"; var pdfURL="http://www.cloudpassage.com/document_images/fim/file-integrity-monitoring.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>