File Integrity Monitoring

Compliance based File Integrity Monitoring solution for Windows and Unix Servers.

Table of Contents

• Summary
• Solution Details
  • Results Package
  • Audit Outcome Values
• Sample fimon_config.json file
  • JSON attribute reference guide
• Steps to create a File Integrity Monitor
  • Testing the Monitor
  • Running the Monitor

Summary

This repo contains an overview along with steps to setup File Integrity Monitoring on Windows and Unix servers. The script performs compliance auditing for application files and detects if files have been added, removed, or changed. Integrity Monitoring is done from a remote server that application developers/ops engineers do not have access to. This is so that the monitor cannot be disabled by those who also might be able to alter application files. This script is setup to use services such as Interlink, ServiceNow, Grafana, Windows Task Scheduler, and Cron but can be replaced by any other tools or scheduling systems preferred by the customer.

Users are only required to update the JSON config file with the attributes mentioned below.

Solution Details

The File Integrity Monitoring package consists of following files:

• fimon.ps1 / fimon.sh - Script with state based embedded webhooks to Interlink along with ServiceNow Notify and Auto-Ticketing. It also generates an alert (normal or warning) and specifies the folder containing the results in the message text. (The results cannot be attached to the alert or included in the message text due to limitations). This script has the ability to run in Active/Active mode from various servers and still only produce 1 alert notification.
• fimon_config.json - JSON file based on an opt-in model to monitor only the key File Shares in scope for integrity monitoring. Users also have the option to exclude certain filetypes from the audit as needed.
• fimon_main.bat / fimon_main.sh - The main script that calls the fimon.ps1 / fimon.sh script with command line arguments. The scheduler runs this file daily at a set time. (The script can't be run directly from Task Scheduler or Cron as there are limitations with passing command line arguments.)
• fimon_scheduler.xml - Windows Task Scheduler schema file that makes the script run daily at a set time.

Results Package

• fimon_<datetime>.zip - The folder containing supporting files for each integrity check that are generated by the main script. The folder contains a copy of the config file as well as the following additional files:
  • fimon.out - File documenting the results of the audit. Errors or failures are logged to this file.
  • fimon_baseline.json - Baseline file with checksum values which the audit is performed against. This file is what determines if the integrity check fails or succeeds.
  • fimon_config.json - copy of the JSON file from the integrity check for refernce in case of failiures.
  • fimon_exclusions.csv - File containing a list of all the File Shares that were excluded from the audit, if any.
  • fimon_violations.csv - File containing a list of File Shares that did not meet the Integrity Monitoring standards, if any.

Audit Outcome Values

• UNABLE TO ACCESS TARGET: In case of this result, please verify that the credentials to access the File Share are correct and/or check that the directory is still valid.
• CHANGED: This result occurs when the files have been changed since the last audit.
• MISSING: This result indicates that flies are missing when compared against the Baseline File created during the previous audit.
• NEW: This indicates that there were new files added to the File Share locations in scope for auditing.

Sample fimon_config.json file

{
    "application": "FORMAL_APP_NAME",
    "severity": "warning",
    "autoincident": "false",
    "workgroup": "CHANGE_MGMT_SUPPORT_WORKGROUP",
    "core_api_token_key": "CORE_API_TOKEN_KEY",
    "core_api_token_value": "CORE_API_TOKEN_VALUE",
    "core_endpoint": "CORE_API_ENDPOINT",
    "is_dmz": "false",
    "dmz_endpoint": "EXT_API_ENDPOINT",
    "is_external": "false",
    "ext_endpoint": "EXT_API_ENDPOINT",
    "ext_api_token_key": "EXT_API_TOKEN_KEY",
    "ext_api_token_value": "EXT_API_TOKEN_VALUE",
    "ext_oauth_token": "EXT_OAUTH_TOKEN",
    "event_query": "GET_QUERY_TO_CHECK_IF_API_CALL_SUCCEEDED",
    "event_oauth_token": "EVENT_MGMT_TOOL_OAUTH_TOKEN",
    "telemetry_token": "TELEMETRY_INGRESSION_TOKEN",
    "telemetry_endpoint": "TELEMETRY_INGRESSION_API_ENDPOINT",
    "continuous_change": "false",
    "results": "RESULTS_FOLDER_PATH",
    "targets": [
        "FILE_SHARE1",
        "FILE_SHARE2",
        "FILE_SHARE3"
    ],
    "exclude": [
        "*.FILE_TYPE",
        "*.FILE_TYPE",
        "*.FILE_TYPE*"
    ]
}

JSON attribute reference guide

• application: Identifies formal Application Name or Supporting Infrastructure service which is used for consuming ServiceNow notifications. (Mandatory)
• severity: Severity of the event. Example values: Normal, Warning, Minor, Major, Critical. (Mandatory)
• autoincident: Set flag to true to generate a ServiceNow ticket, false will generate a ServiceNow notification email, page, etc.
  • workgroup: ServiceNow workgroup to assign the Incident to. (Mandatory only if autoincident is true)
• is_dmz: Set flag to true means the server is in the DMZ and will use our DMZ API, false will use our internal Interlink API.
• is_external: Set flag to true means the server is external and will use our external API, false will use our internal Interlink API.
• continuous_change: Set flag to true if you are looking to be alerted if files are not continuously changing, false will alert only when file are changing.
• results: Shared folder location where results will be stored. Shared folder directories have larger space and therefore will be able to store results for longer periods of time.
• targets: List of File Shares in scope for auditing. Add each unique directory in a new line like shown in the example above. (Mandatory)
• exclude: List of filetypes that are to be excluded from the audit. Add each unique filetype in a new line like shown in the example above.

Steps to create a File Integrity Monitor

• Obtain a dedicated auditing Windows or Unix server to run the File Integrity solution on. Validate that your credentials have access to all the File Shares defined in fimon_config.json.
• Having sudo access will simplify the on-boarding process and help manage cron schedules for Unix.
• Clone this repo via Git commands or by downloading the zip folder and save it to your working directory.
• Navigate to the fimon folder and update the fimon_config.json file with the configurations for monitoring using the JSON attribute reference guide.

Testing the Monitor

• Manipulate the values in the fimon_config.json file as desired for testing.
• Open a Powershell IDE as the user with the credentials validated above for Windows.
• Open a terminal window in the fimon directory and run the fimon_main file.

Running the Monitor

• Windows:
  • Create a monitoring task using Windows Task Scheduler with the credentials validated above. Note: Make sure to manually update Task Scheduler if the credentials change.
  • Import the fimon_scheduler.xml file to Windows Task Scheduler and update the values according to your monitoring needs.
• Unix:
  • Schedule a cron job according to your monitoring needs: sudo crontab -e
  • To run the script every 5 minutes, use following format: */5 * * * * ./fimon_main.sh > ./cron.out 2> ./cron.err

The syntax is the default dir/location where the package should be downloaded. Update dir/location if you have downloaded the package elsewhere.