Run a File Integrity Scan
Getting your implementation of File Integrity Monitoring up and running involves creating a file integrity policy, setting up and scanning a baseline server or servers, and assigning the policy to a server group in your cloud.
1 Define a Server Group to Scan
If you have not already installed Halo agents on your servers and organized them into groups along functional and architectural lines, do so now.
- Install Halo agents on a set of similar servers that you wish to monitor for file integrity. For detailed instructions, log into the Halo portal and go to either the Install Linux agents page or the Install Windows agents page.
Note: To use file integrity monitoring on a Windows server, you'll need to upgrade its Halo agent to version 2.7.8.
Choose servers that all share the same operating system configuration and basic applications, so that the same file integrity policy (or policies) can apply to all of them. For example, all Debian/Ubuntu web servers that use Apache could be in the same server group. Likewise, all Red Hat Enterprise, CentOS, or Fedora database servers that use MySQL could be in another group.
- Use the Halo portal UI to create a named server group. Then add that set of servers to the group. For detailed steps, see Organize Your Servers Into Server Groups and Assign Servers to Groups in the Halo Operations Guide.
2 Create or Clone a File Integrity Policy
A file integrity policy is a list of targets to be monitored for changes, plus flags that specify how Halo should treat a detected change to each target. To create your policy, you can customize a policy template provided with Halo (see Cloning a Policy Template), you can import a policy exported by another Halo user (see Exporting or importing a Policy), or you can create a policy from scratch.
To create or customize your policy, you'll need to know which files you want to monitor, which issues (changes to target files) should be considered critical, and which should generate alerts to an administrator.
To create a new policy, go to Policies > File Integrity Policies In the Halo portal, click Add New Linux Policy or Add New Windows Policy, and fill out the Add New File Integrity Policy form:
- As targets, you can specify the following objects: individual files, directories, symbolic links, devices and special files (such as named pipes), and—on Windows—Registry keys.
- If you specify a directory, you can make the scan recursive (objects at all levels within the target directory are scanned) or non-recursive (only objects at the uppermost level within the directory are scanned).
- Within a directory target, you can either exclude objects that match a specific pattern, or you can include only objects that match the pattern.
- Mark or unmark the rule as active (will be scanned), critical (will be flagged in scan results), and/or alert (will generate an email alert). Make sure your policy has at least one active target.
If you need more detailed instructions, see Creating a File Integrity Policy.
For a list of restrictions on allowable targets in a policy and allowable kinds of information to scan, see Limitations on Targets and Scans.
3 Specify a Baseline Server and Run a Baseline Scan
Every file integrity policy needs to be associated with a specific server that functions as the gold master—the template for all of the servers that will be scanned using that policy. The gold master needs to contain known good versions of all of the targets specified in the policy. You can pick an existing cloud server or you can set up a special server, either local or in the cloud; it needs to be correctly configured, clean, and up-to-date.
You normally assign the baseline server to the policy immediately after saving the policy. When you click the Add Baseline button on the policy's page in the Halo portal, you are asked to select the server. As soon as you have done that and clicked Request Baseline, the baseline scan runs. When it finishes, your policy is complete.
Note: Depending on the server configurations in your server group, you may wish to specify multiple baseline servers for a single policy. See Using Multiple Baselines.
Before you run a baseline scan, you can optionally give it an expiration date. After you run the scan, you can inspect the baseline report to verify that no targets were missed.
If you need more detailed instructions about baselines, see Specifying a Baseline Server and Running a Baseline Scan.
4 Assign the Policy to a Server Group
The last step in preparing to run file integrity scans is to assign your policy to the server group that you created in Step 1. Naturally, all the servers in the group must match the policy's baseline server (or servers)—at least in the portions of server structure and content that will be scanned.
Go to the Edit Details page for that group to make the assignment. If you need more detailed instructions, see Assigning a Policy to a Server Group.
Note: At this point, you can just wait for the next scheduled file integrity scan, or you can manually invoke a scan of the server group, as described next.
5 Execute a Manual Scan
You can schedule scans to run automatically at regular intervals (see Specifying File Integrity Monitoring Settings), or you can manually kick off an immediate scan at any time. For a manual scan, you can choose to scan all of your servers, or one server group, or a subset of the servers in a server group.
Click the Integrity icon ( ) on the Halo Dashboard and then select All Servers or some other server group. Use the checkboxes to select all servers in the group or one or more individual servers. Then choose Launch Scan from the Actions menu to run the scan.
6 View Scan Results
After a file integrity scan has completed, you can view summary results of the scan by selecting the Integrity icon ( ) and the name of the scanned server group on the dashboard page of the Halo portal:
To view the details of an individual server's file integrity scan scan results, click the number of Critical or Other issues for the desired server on the dashboard page. The server's scan results page appears, showing pass/fail results for each target scanned on the server:
See Inspect a Server's Current Issues and other sections of Halo Issues, Events, and Alerts: Addressing Scan Results and Security Notifications for further instructions on how to view, interpret, and act upon file integrity scan results.