Appendix A: Task Details
This section contains detailed, step-by-step instructions for the tasks described earlier in this document. You can refer to these instructions if you need additional information about a task.
Specifying File Integrity Monitoring Settings
Schedule Automatic Scanning
You can conduct file integrity scans manually or automatically. For automatic scans, decide whether and how frequently you want to conduct them. Then go to [Site Administrator menu] > Site Administration in the Halo Portal and click the Scanner Settings tab.
Under Scanner Scheduling, in the line for "File Integrity Monitoring", select Enable Automatic Scanning, then choose a scan frequency from once per hour to once per week. Leave Execute scan on daemon start selected if you want to run an initial scan on each server as soon as it starts up.
The next scheduled scan will occur in as little as one hour or as much as 24 hours later, depending on the frequency you have specified. Note that only servers in groups that have an assigned file integrity policy are scanned at each automatic scan.
Note: Depending on the number and size of the targets in your policy, running a monitoring scan on all the servers in a server group may take some time. Specifying a high scanning frequency for a large group might impact the performance of your servers.
Set Event Scope
By default, all issues (object changes) for a single file integrity target are combined into a single event during a scan. A Halo site administrator can choose to instead consider each individual change within a target to be a separate event. Note that making a separate event for every change within a target can significantly increase the total number of events reported.
Under File Integrity Monitoring on the Scanner Settings page, select or clear the checkbox Generate a separate event for every change detected by a file integrity monitoring rule.
Cloning a Policy Template
The fastest way to create a file integrity policy is to clone a policy template. You can also clone any existing file integrity policy, such as one you have previously created or cloned.
To clone a policy template:
- Go to Policies > File Integrity Policies and click Policy Templates, or else go to Templates and Tools > File Integrity Policy Templates.
- On the File Integrity Policy Templates page, locate the template that you want to clone (see list of templates below).
- In the line for the template that you want, select Clone from the Actions drop-down menu. The Add New File Integrity Policy page opens, with the policy name shown as TemplateName (copy), and with all of the content of the template, including its targets, filled in.
- You can immediately save the template as a policy, or you can edit it—change its name, add or remove targets, and so on—and then save it.
The cloned template now appears as a policy like any other on the File Integrity Policies page.
To clone an existing policy:
You can clone any existing policy and use it as the basis for creating another policy:
- Go to Policies > File Integrity Policies and locate the policy that you want to clone.
- Select Clone from the Actions drop-down menu for that policy. The Add New File Integrity Policy page opens, with the policy name shown as ExistingPolicyName (copy), and with all of the content of the existing policy, including its targets, filled in.
- Edit the policy as desired, then save it.
The cloned policy now appears on the File Integrity Policies page.
File Integrity Policy Templates Provided With Halo
Halo includes the following templates that you can clone and optionally customize for conducting file integrity scans:
Linux OS level:
- Monitor Privilege Escalation (Linux) v1. Detects changes to files that are commonly modified by attackers to raise privileges or to maintain raised privileges.
- Monitor Changes to Files with SETUID (Linux) v1. Detects changes to common files whose
setuidpermissions bit is set. These files are favorites for attackers to modify in order to gain elevated privileges.
Linux application level:
- HAProxy (Linux) v1. Detects changes in HAProxy on Ubuntu, Debian, CentOS, Amazon Linux AMI, and Red Hat.
- Mongo DB (Debian-based or RPM-based Linux) v1. Two polices detect changes to sensitive MongoDB files and directories on Linux platforms.
- WordPress (Debian-based or RPM-based Linux) v1. Two polices detect changes to sensitive WordPress files and directories on Linux platforms.
Windows OS level:
- Core System Files (Windows 2008) v1. Detects changes in Windows Server 2008 system files, including installers, system settings, core applications, diagnostic files, boot files, and others.
- Core System Files (Windows 2012) v1. Detects changes in Windows Server 2012 system files, including installers, system settings, core applications, diagnostic files, boot files, and others.
- Core Registry Keys (Windows 2008) v1. Detects changes in Windows Server 2008 registry keys related to security settings, including network, user behavior, administration, audit, and others.
- Core Registry Keys (Windows 2012) v1. Detects changes in Windows Server 2012 registry keys related to security settings, including network, user behavior, administration, audit, and others.
Windows application level:
- Microsoft IIS7.5 or 8 (Windows 2008 or 2012) v1. Four policies detect changes in Microsoft Internet Information Server 7.5 or 8 on Windows Server 2008 R2 or 2012.
- Microsoft SQL Server (Windows 2008 or 2012) v1. Two policies detect changes in Microsoft SQL Server 2008 R2 or 2012 installations.
- WordPress (Windows) v1. Detects changes to sensitive WordPress files and directories on Linux platforms.
Creating a File Integrity Policy
To create a new file integrity policy from scratch:
- Navigate to Policies > File Integrity Policies to display the active File Integrity Policies list.
- Click Add New File Integrity Policy. The Add New File Integrity Policy page appears.
- Give the policy a name and optionally add a description.
- Click Add Target to start specifying the policy's targets. Enter paths to one or more target files or directories (or Registry keys on Windows) that should be monitored; see Specifying Targets, below.
- For each target, specify values for its flags; see Configuring the Targets, below.
- When you are finished, click Save. The policy appears on its own page, along with a caution that the policy will remain inactive until you perform a baseline scan.
- Click Add Baseline and then Request Baseline to run a baseline scan immediately: see Specifying a Baseline Server and Running a Baseline Scan, below.
- Click Return to Policy List to return to the File Integrity Policies list.
Note: If you do not perform a baseline scan at this time, you can do it later by returning to the File Integrity Policies list, clicking Actions in the row for this policy, and selecting Baseline.
A file integrity policy includes a list of target objects to be monitored for changes. When creating or editing a policy, use the Add Target link or the Delete icon () to add or remove targets. Optionally provide a description for each target.
The following are the kinds of target objects you can specify, and the kinds of changes to each that a scan can detect.
|File type||Added/Deleted||Content||Metadata||Target path|
|Text or binary file||Yes||Yes||Yes|
|Windows Registry key||Yes||Yes||Yes|
|1. See note (below)|
Note: For devices and special files (such as named pipes), only additions, deletions, and metadata changes are detected.
Note: For symbolic links, changes to the target specification are also detected—although changes to the target file itself are not detected.
Here are some examples of targets:
- Individual binary or text files. For example:
%SYSTEMDRIVE%\Program Files\WinZip\WINZIP64.EXE(system environment variables supported)
Important: In Windows, the names of all target files (except symbolic links) must include the file extension.
- Directories and their contained objects (at top-level only if non-recursive, at all levels if recursive).
/bin(objects in the /
/etc(objects in /
C:\Windows\System32(objects in the
Systemsubfolder of the
C:Program Files\(objects in the
- Windows Registry keys (on Windows only):
When Halo performs a baseline scan using the target expressions in the policy, it creates a checksum (signature) for each text or binary file and records it, along with the directory in which the file was found. For all scanned objects, Halo records values for the following metadata:
Subsequent scans will then detect whether the content of any of the files has been altered, whether any object has been deleted from or added to any monitored directory, and whether any critical metadata (owners or permissions) has changed. Any of those changes are reported as issues in the scan results and as security events.
Limitations on targets and scans
- Halo cannot scan more than 20,000 objects per server, and it does not analyze individual files of 1 GB or larger. This also means that a file integrity baseline cannot contain more that 20,000 objects.
- A file integrity scan will not return more than 10,000 failed objects per scan per server. In the event of a catastrophic scan in which more than 10,000 scanned objects fail, only the first 10,000 will be returned.
- Halo will not scan a target that is the directory
/procor any of its contents.
- Using the CloudPassage API to create a file-integrity policy with more than a thousand defined targets might result in (1) a timeout failure of the API method that creates the policy, (2) a failure of the baseline scan to complete, or (3) severe slowdown of the Portal UI when trying to display the policy.
For best performance, CloudPassage recommends that you use recursion (with exclusions and inclusions as needed) to scan up to thousands of objects, while keeping the number of defined targets ( = lines in the policy) below a thousand.
- CloudPassage recommends that you do not scan files that change often, such as log files, active database data files, and email files.
Configuring the Targets
Every target in a file integrity policy has three associated flags that control recursion and event-related features:
- Recurse. Select or clear the checkbox to enable or disable recursive scanning of a directory target. A recursive target includes all subdirectories at all levels within the target directory (unless you have defined exclusions for the target). A non-recursive target includes only the objects at the top level of the directory. (Default = non-recursive.)
- Prelink. [Linux ony] If this rule's target may include binary files (specifically, shared libraries in ELF format), and if pre-linking may be enabed for those files, select this checkbox. If it is selected, Halo accounts for pre-linking whenever it scans a shared library within the scope of this target. Do not select the Prelink checkbox if this target contains no ELF libraries or if pre-linking is disabled.
- Active. Select this checkbox to include this target in future scans. Deselect it to temporarily disable this target, without actually removing it from the policy. (Default = active.)
Important: When creating or editing a file integrity policy, always leave at least one target active. You cannot save a policy that has no active targets.
- Critical. Select this checkbox to specify that changes to this target should be flagged as critical. (Default = non-critical.)
Critical events are flagged with a special icon on the scan results page and on the Security Events History page, and you can sort the list to make those events appear at the top.
- Alert. Select this checkbox to specify that, if any changes are detected in this target, an email notification should be sent to the users specified in the alert profile(s) of the server group to which this policy is assigned. (Default = no alert sent.)
Hint: Because a scan group can have more than one alert profile, you can for example configure Halo to send critical events to a different set of administrators than non-critical events.
Using Patterns to Create Inclusions and Exclusions
If a target in your policy is a directory, by default Halo scans all monitored objects within that directory (and all of its subdirectories, if the Recurse checkbox is selected). You can refine the set of objects scanned for that target in two ways—either by specifying that only certain objects can be included in the scan, or by specifying that certain objects must be excluded from the scan.
Both inclusions and exclusions are defined as search-string patterns. If the pattern matches the name of any monitored object within the target, that object is scanned if the pattern is an inclusion, and not scanned if the pattern is an exclusion.
Patterns can have wildcards. Two wildcards are supported:
* (representing zero or more of any characters) and
? (representing exactly one of any character). Thus, for example, the pattern
logs will match any file or directory named exactly
logs (case-sensitively on Linux, case-insensitively on Windows); and the pattern
*.log will match any file whose filename extension is
Defining an Inclusion
To make sure that your scans include just a certain set of objects within your target, specify as the inclusion a search pattern that will match all objects in the set but no others. For example, if you are interested in scanning only executable files and code libraries within a particular target directory on Windows, you can specify
*.dll as two inclusions.
To add an inclusion to your file integrity policy, click the Add Pattern link for the target directory, then move the slider to read "Include". Enter a string or pattern representing the inclusion. You can add any number of inclusions to a target.
Defining an Exclusion
To avoid scanning a certain set of objects within your target, specify as the exclusion a search pattern that will match all objects in the set but no others. For example, if you do not wish to scan PDF files within a particular target directory, specify
To add an exclusion to your file integrity policy, click the Add Pattern link for the target directory, then move the slider to read "Exclude". Enter a string or pattern representing the exclusion. You can add any number of exclusions to a target.
Mixing Exclusions and Inclusions in the Same Target
You might not often mix inclusions and exclusions in the same target, but it is possible to do so. To understand how they will interact, keep in mind that exclusions take precedence. For example:
- With multiple exclusions in a target, an object that matches any of them is excluded.
- With multiple inclusions in a target, an object that matches any of them is included.
- With both exclusions and inclusions in a target, an object that matches both an inclusion and an exclusion is excluded. For example, within a target directory, you can include the
binsubdirectory but still exclude all files in that subdirectory with the extension
Note that the inverse is not possible; an inclusion within an exclusion is still excluded. For example, if the
bindirectory is excluded, and
.txtfiles are included, any
binwill not be scanned.
Specifying a Baseline Server and Running a Baseline Scan
Before you can use a file integrity policy or assign it to a server group, you need to run a baseline scan on it. To do that, you need to assign a baseline server to the policy.
Also, you will need to re-run a baseline scan whenever you make changes to the baseline server's target objects, or the policy that the baseline server is assigned to.
A baseline server represents the golden master—the canonical, correctly configured, clean system of the server group that you will assign the policy to. The baseline server could be one of the servers in that server group, or it could be a server set up solely as a template for the correct configuration of that type of server.
The baseline scan is run only on the baseline server; subsequent monitoring scans are run on all the servers of the policy's server group. Therefore, the structure and content of all servers in the group should in general be identical to the baseline server—at least for the specific file targets defined in the policy. (Exceptions to this are possible; see Using Multiple Baselines.)
Immediately after saving a new file integrity policy or saving changes to an existing one, you are prompted to request a baseline scan. You can do it then, or you can later navigate to the File Integrity Policies list and select that policy. Then do this:
- Click the Add Baseline button (if you are on the File Integrity Policy page), or choose Baseline from the Action dropdown list in the line for that policy (if you are on the File Integrity Policies list).
- In the Select Baseline Server dialog box, use the dropdown list to choose the server that you want as the baseline. The list includes all of your currently online servers that have an installed Halo agents and are of the same general operating system (Linux or Windows) as your policy.
Select the lifetime of the baseline scan (the number of days before it expires), and optionally add a comment about this baseline server.
- Click Request Baseline to start the baseline scan.
Note: Depending on the number and size of the targets in your policy, running a baseline scan can take several minutes or longer.
When the scan is finished, a "File Integrity baseline" event appears on the Security Events History page, and information about the scan appears in the Baselines area of the File Integrity Policy page:
Once the baseline scan is complete and shows a status of Active, you can assign the policy to a server group and start running file integrity scans.
Viewing Baseline Reports
Every time you run a baseline scan, Halo generates a report listing all of the target elements that were scanned on the baseline server. You can access that report at any time, to verify that your file integrity policy correctly specifies all the targets that you want to scan, and that your baseline server contains all of those targets.
- To view a baseline report, click Actions for a given baseline server in the Baseline area of the File Integrity Policy page.
- Select Details from the drop-down list. The File Integrity Baseline Results page appears, displaying at the top of the page the baseline's policy, the baseline server's name, the date of the baseline scan, and the total number of objects scanned for the baseline.
IMPORTANT: A baseline connot contain more than 20,000 objects. Halo will invalidate a baseline scan that would return more than 20,000 objects.
For each top-level target in your policy, the baseline report displays:
- The target path, the inclusions and exclusions defined for the target, and the total number of objects scanned within the target.
- A line of information for each individual scanned element or sub-element of that target. The information includes the full path and type (directory, file, or link) of the element, plus its metadata and its cryptographic signature (or target value, if it is a link).
The report includes one table for each top-level directory target specified in the policy. For example, if the policy contains target paths starting with /bin, /etc, and /usr, the report will include three tables of scanned elements.
- Examine the pathnames and metadata in the report to satisfy yourself that the file integrity policy specifies the appropriate elements for ensuring the integrity of critical files, and that it does not waste time scanning unimportant elements. If necessary, refine the policy by modifying targets and inclusions/exclusions.
Using Multiple Baselines
In some situations a server group consists of servers that are similar but not in all cases identical. For example, patch levels or application versions might vary slightly among the servers. To help you handle that situation without fragmenting your server groups, Halo allows you to define several baseline servers for a single group. The baseline servers together must cover all acceptable configurations of the group's servers.
When you run a file integrity scan on a server group with multiple baselines, each target object's signature and metadata are compared with the signatures and metadata of that object on each of the baseline servers—and if a match occurs with any of them, the target rule is matched. Specifically:
- For a changed object, if none of the baselines matches the target object, it is considered a violation and a security event is triggered.
- For a deleted object, if all of the baselines contain the target object and the scanned server does not, it is considered a violation and a security event is triggered.
- For an added object, if none of the baselines contains the target object and the scanned server does, it is considered a violation and a security event is triggered.
Specifying additional baseline servers for a file integrity policy is as simple as specifying the first one. On the File Integrity Policy page, click Add Baseline, choose an expiration time, and select the server to be the baseline. After you click Request Baseline to perform the baseline scan, the new server appears in the policy's list of baseline servers.
If you make any changes to your file integrity policy, all baselines in effect at that time become invalid. You will need to re-baseline all invalid baseline servers before you will be able to run a file integrity scan with that policy.
Assigning a Policy to a Server Group
You need to assign your file integrity policy to a server group before you can use it. Note that a policy can apply to more than one server group, and a server group can have more than one policy.
- In the Halo Portal, display any server view in the Dashboard. For example, navigate to Servers > File Integrity Monitoring.
- In the list of server groups, click the name of the group to assign the policy to, then click Edit Details below the group name.
- In the Edit Group Details dialog box, Select the policy's name from the File Integrity Policies dropdown list. The policy is added to the group.
(You may also add other file integrity policies to the group.)
- Click Save to commit your assignment and return to the server view.
Re-Baselining a Policy
Whenever you alter the targets in a policy, or whenever changes, additions, or deletions are made to the scanned files in that policy's server group, you must re-run a baseline scan for that policy.
To re-run a baseline scan:
- Open the File Integrity Policy page for the policy that you want to re-baseline.
- In the Baselines area, click the Action button in the row for the baseline that you want to re-run, and select Re-baseline.
Note: Whenever you re-baseline a policy, you have the opportunity to assign a different baseline server.
A success message is displayed, meaning that the policy's baseline server is being re-scanned. When the process is finished, a "File Integrity baseline" event is created and is visible on the Security Events History page.
Administering File Integrity Policies
The Halo Portal helps you with day-to-day administration of your file integrity policies.
Note: All administrative actions on file integrity policies are audited. You can view them on the Security Events History page and retrieve them through the Events portion of the CloudPassage API.
Exporting or Importing a Policy
The import/export capability of file integrity monitoring gives you a convenient method for sharing your policies with other users or distributing them to remote locations.
Exported policies are saved as JSON-formatted text files that the Halo Portal can directly read and import.
To export a file integrity policy:
- Go to Policies > File Integrity Policies.
- In the list of policies, find the name of the policy that you want to export.
- In the Actions drop-down menu for that policy, click Export.
- On the Save dialog box, note the name of the exported policy file (extension =
.fim.json), select Save File, click OK, and specify a location to save the file to.
The exported policy is saved to the location you specified. It can be viewed in any text editor and imported into Halo through the Portal.
To import a file integrity policy:
- Go to Policies > File Integrity Policies.
- Above the list of policies, click Import File Integrity Policy.
- On the Import page, browse to select a file integrity policy file (extension =
.fim.json), and then click Import.
The imported policy appears in the list of policies on the File Integrity Policies page.
Editing a Policy
To make changes to a file integrity policy:
- Open the active File Integrity Policy list.
- Click a policy in the list. The File Integrity Policy page for that policy appears.
- Click Edit. The editable version of the policy page appears.
- Edit the policy name, description, targets, or flags, as needed.
- Click Save to commit your edits and return to the File Integrity Policy page.
Note: If you have changed the targets in any way, you are prompted to re-run a baseline scan.
To perform a new baseline scan with the modified policy, select Rebaseline from the Actions menu for a baseline on the File Integrity Policy page.
Retiring a Policy
When you are no longer using a file integrity policy, you can retire it.
- Open the Active File Integrity Policy list, by navigating to Policies > File Integrity Policies.
- Click Actions in the row for the policy you want to retire, and select Retire from the drop-down list.
The policy moved from the Active File Integrity Policy list to the Retired File Integrity Policy list.
Unretiring a Policy
If you want to restore a retired policy to active status, you can unretire it.
- Open the Retired File Integrity Policy list, by navigating to Policies > File Integrity Policies and clicking Retired Policies.
- Click Actions in the row for the policy you want to re-activate, and select Unretire from the list.
The policy is removed from the Retired File Integrity Policy list, and is restored to the Active File Integrity Policy list.
Note: Unretiring a policy does not re-assign it to the server groups it used to apply to. You must make those assignments manually once the policy is active.
// <![CDATA[ var pdfTitle="File Integrity Monitoring"; var pdfURL="http://www.cloudpassage.com/document_images/fim/file-integrity-monitoring.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>