Manage Ongoing Monitoring
Once you have run the baseline scan for a policy, assigned the policy to a server group, and then manually scanned your servers, you can view the results to address security events and alerts, and to manage updates to file integrity settings and policies.
Note: Going forward, be sure to set up automatic scanning to make sure that your servers are regularly examined for file integrity issues. You can do that at [Site Administrator menu] > Site Administration in the Halo portal; for details, see Specifying File Integrity Monitoring Settings.
Re-Baseline a Policy
Whenever you alter a target in a file integrity policy, the policy's existing baselines involving that target are invalidated. You must re-run the baseline scan for any affected baseline server, or add a new baseline. Note that re-running a baseline is not required during the normal elastic operation of your cloud, because Halo automatically accounts for servers that come online or go offline due to server cloning or auto-scaling.
Whenever you make a configuration change, addition, or deletion to any of the monitored objects in a policy's server group, you must make the change to the appropriate baseline server itself, propagate that change to all the servers in the group, and then re-run the baseline scan for that policy.
To re-run a baseline scan, go to Policies > File Integrity Policies in the Halo portal and locate the policy that you wish to re-baseline. If you need more detailed instructions, see Re-Baselining a Policy.
Administer File Integrity Policies
The Halo portal helps you with day-to-day administration of your file integrity policies. Follow the links below if you need instructions for performing these tasks.
- Export or import a policy from or into the Halo portal.
- Edit an existing policy from the Active File Integrity Policy list.
- Retire an active policy from the Active File Integrity Policy list.
- Unretire (re-activate) a retired policy from the Retired File Integrity Policy list.
Use the File Integrity Monitoring API
You can use the CloudPassage API to automate file integrity monitoring or build its capabilities into your own security tools. The API includes the following file integrity modules and functions:
- File Integrity Policies API. Allows you to list all policies, get the details of a single policy, create a policy, update a policy, and delete a policy.
- File Integrity Policy Baselines API . Allows you to list all baselines for a policy, list a single baseline, create a baseline (run a baseline scan), delete a baseline, and request a re-baseline (re-run a baseline scan).
- Launch a file integrity scan. (In the Server Scans API) Allows you to assign one or more file integrity policies to a server group.
- Export file integrity events. File integrity events are included in the set of security events that you can retrieve from the Halo database.
See the Halo REST API Developer Guide for details.