Monitoring Server File Integrity With CloudPassage Halo

Transcription

1 Contents: Monitoring Server File Integrity With CloudPassage Halo How File Integrity Monitoring Works Run a File Integrity Scan 1. Define a Server Group to Scan 2. Create or Clone a File Integrity Policy 3. Specify a Baseline Server and Run a Baseline Scan 4. Assign the Policy to a Server Group 5. Execute an Automatic or Manual Scan Manage Ongoing Scans and Alerts View and Act on Scan Results Respond to Alerts Re-Baseline a Policy Administer File Integrity Policies Use the File Integrity Monitoring API Appendix: Task Details Specifying File Integrity Monitoring Settings Cloning a Policy Template Creating a File Integrity Policy Specifying a Baseline Server and Running a Baseline Scan Assigning a Policy to a Server Group Manually Running a Monitoring Scan Viewing Scan Results Acting on a Violation Responding to Alerts Re-Baselining a Policy Administering File Integrity Policies 1

2 How File Integrity Monitoring Works File integrity monitoring is a feature of CloudPassage Halo that protects the integrity of system and application software on your Linux cloud servers. It regularly monitors your servers for unauthorized or malicious changes to important system binaries and configuration files. Implementing file integrity monitoring can help you to Detect unauthorized intrusions into any of your cloud servers. Comply with mandates and standards such as PCI DSS, HIPAA, SOX, CSA, and SANS. Detect and repair tampering with your servers' system or application code. Halo accomplishes file integrity monitoring by first saving a baseline record of the "clean" state of your server systems. It then periodically re-scans each server instance and compares the results to that baseline. Any differences detected are logged and reported to the appropriate administrators. The elements that make up the baseline include (1) cryptographic checksums (signatures) and standard metadata for all files being monitored, and (2) standard metadata for files without content (such as directories and symlinks). If later scans reveal that a file's checksum or metadata has changed, a security event is generated. An administrator can inspect the metadata or the file itself on the server involved to understand the nature of the change. Halo file integrity monitoring is available to users with a Halo Professional subscription package. The feature involves these components and actions: File integrity policy. A security administrator uses the Halo Portal to configure File Integrity Monitoring and to create a file integrity policy - essentially a list of paths to target objects (files and directories) to be monitored for changes. Baseline server and baseline scan. The administrator associates the policy with a baseline server a server that represents the canonical, correctly configured, clean file structure of the cloud servers that will be scanned. Halo performs a baseline scan of this server, extracting and saving the cryptographic checksums (SHA-256 hash values) and metadata for all targeted objects on the baseline server. Halo then saves those baseline signatures and metadata for the policy. Note: Halo allows you to define multiple baseline servers for a single policy, when the servers you need to scan are not all exactly identical. 2

3 Server group. The administrator uses the Halo Portal to assign the policy to a server group an administrator-defined collection of servers that are identical to the baseline server in terms of system structure and configuration, at least for the targets specified in the policy. Monitoring scans. At a frequency determined by the administrator, Halo automatically runs monitoring scans of all servers in the group, including servers that come online automatically through cloning or cloudbursting. The Halo Daemon running on each server collects metadata and computes hashes of each targeted object on the server and sends them to the Halo Grid, which compares them with the baseline information, and reports any differences found to the Halo Portal. Modifications, deletions, or additions of files or directories as well as changes to metadata are all detected. Security events and alerts. Halo records information on any detected changes as scan results, and also as security events. Administrators can view and act on those results and events in the Halo Portal. Administrators may also receive alerts triggered by designated high-priority events. Run a File Integrity Scan Getting your implementation of File Integrity Monitoring up and running involves creating a file integrity policy, setting up and scanning a baseline server or servers, and assigning the policy to a server group in your cloud. 1 Define a Server Group to Scan If you have not already installed Halo Daemons on your servers and organized them into groups along functional and architectural lines, do so now. 1. Install Halo Daemons on a set of similar servers that you wish to monitor for file integrity. For detailed instructions, log into the Halo Portal and go to the Install Linux Daemons page. Choose servers that all share the same operating system and basic applications, so that the same configuration security policy (or policies) can apply to all of them. For example, all Debian/Ubuntu web servers that use Apache could be in the same server group. Likewise, all 3

4 Red Hat Enterprise, CentOS, or Fedora database servers that use MySQL could be in another group. 2. Use the Halo Portal UI to create a named server group. Then add that set of servers to the group. See Create Server Groups for detailed steps. 2 Create or Clone a File Integrity Policy A file integrity policy is a list of targets to be monitored for changes, plus flags that specify how Halo should treat each target. To create your policy, you can customize a policy template provided with Halo (see Cloning a Policy Template), you can import a policy exported by another Halo user (see Exporting or importing a Policy), or you can create a policy from scratch. To create or customize your policy, you'll need to know which files you want to monitor, which policy violations (changes to target files) should be considered critical, and which should generate alerts to an administrator. To create a new policy, go to Policies > File Integrity Policies In the Halo Portal and fill out the Add New File Integrity Policy form: As targets, you can specify individual files, directories, symbolic links, devices and special files (such as named pipes). If you specify a directory, you can make the scan recursive (files and subdirectories at all levels within the directory are scanned) or non-recursive (only files at the uppermost level within the directory are scanned). Also, within a directory target, you can exclude specified files or subdirectories from being scanned. If you need more detailed instructions, see Creating a File Integrity Policy. For a list of restrictions on allowable targets in a policy and allowable kinds of information to scan, see Limitations on Targets and Scans. 3 Specify a Baseline Server and Run a Baseline Scan Every file integrity policy needs to be associated with a specific server that functions as the golden master the template for all of the servers that will be scanned using that policy. The golden master needs to contain known good versions of all of the targets specified in the policy. You can pick an existing cloud server or you can set up a special server, either local or in the cloud; it 4

5 needs to be correctly configured, clean, and up-to-date. You normally assign the baseline server to the policy immediately after saving the policy. When you click the Baseline button on the policy's page in the Halo Portal, you are asked to select the server. As soon as you have done that, the baseline scan runs. When it finishes, your policy is complete. Note: Depending on your server configurations, you may wish to specify multiple baseline servers for a single policy. See Using Multiple Baselines. Before you run a baseline scan, you can optionally give it an expiration date. After you run the scan, you can inspect the baseline report to verify that no targets were missed. If you need more detailed instructions about baselines, see Specifying a Baseline Server and Running a Baseline Scan. 4 Assign the Policy to a Server Group The last step in preparing to run file integrity scans is to assign your policy to the server group that you created in Step 1. Naturally, all the servers in the group must match the policy's baseline server (or servers) at least in the portions of server structure and content that will be scanned. Go to the Edit Details page for that group to make the assignment. If you need more detailed instructions, see Assigning a Policy to a Server Group. Note: At this point, you can just wait for the next scheduled file integrity scan, or you can manually invoke a scan of the server group, as described next. 5 Execute an Automatic or Manual Scan Set up auto-scanning (optional): You can conduct file integrity scans manually or automatically. For automatic scans, decide whether and how frequently you want to conduct them. Then go to Settings > File Integrity Monitoring in the Halo Portal to enable automatic scanning and to set a scan frequency in the range of hourly to daily. Leave the Execute scan on daemon's start checkbox selected for now. If you need more detailed instructions, see Specifying File Integrity Monitoring Settings. Now, just wait for the next scheduled scan to occur. Note that only servers in groups that have an assigned configuration policy are scanned at each automatic scan. Select servers and run a manual scan: For a manual scan, you can choose to scan all of your servers, or one server group, or a subset of the servers in a server group. Click the Integrity icon ( ) on the Halo Dashboard and then select All Servers or some other server group. Use the checkboxes to select all servers in the group or one or more individual servers. Then choose Launch Scan from the Actions menu to run the scan. 5

6 Manage Ongoing Scans and Alerts Once you have run the baseline scan for a policy, assigned the policy to a server group, and then automatically or manually scanned your servers, you can view the results to address security events and alerts, and to manage updates to file integrity settings and policies. View and Act on Scan Results Halo records all changes to policy-defined target files that it finds during monitoring scans. If you are an administrator assigned to addressing file integrity policy violations, you can view them either of these ways: As scan results on an individual server's File Integrity Scan Results page. On the Halo Dashboard, click the File Integrity icon, select the server group that was scanned, then click the name of the server whose results you want to see. As security events on the Halo Portal's Security Events History page. Go to Servers > Security Events History and apply one or more of the following event-type search filters: File Integrity object added, File Integrity object missing, and File Integrity object signature changed. 6

7 The results displayed for each violation or event include a flag if the event is critical, the date/time of its occurrence, and various event details. Click More details to see both the original baseline metadata and the current metadata for the changed file or directory. To act on any of the file integrity events: 1. Verify the event's validity by inspecting the file or directory involved, and perform any required remediation on it (delete a rogue file, replace a missing or altered file, and so on). 2. Specify the ongoing status and visibility of the event in the Halo Portal. For example, to prevent an event from appearing in future scans, you could Create an exception to hide the event temporarily (if you plan to address it later but cannot right now). See Specifying Exceptions. Create an exclusion within the target (if a particular file or subdirectory in the target should not be scanned). See Creating Exclusions. Remove the target from your policy (if the entire target should not be scanned). If you need more detailed instructions, see Viewing Scan Results and Acting on a Violation. Note: If you do make changes to the target specifications or exclusions in your policy, or to the targeted files on the servers, you must re-baseline the policy before running another monitoring scan. Respond to Alerts If you are the administrator or security specialist assigned to handle file integrity security events for a given server group, you may receive automatically generated alerts whenever a monitoring scan detects important changes to the files in that group. When you receive such an alert, follow the link in the to the Halo Portal, where you can address the issue. If you need more detailed instructions, see Responding to Alerts. Re-Baseline a Policy Whenever you alter the targets in a policy, you must re-run the baseline scan for that policy. Note that re-running a baseline is not required during the normal elastic operation of your cloud, because Halo automatically accounts for servers that come online or go offline due to server cloning or cloudbursting. Whenever you make a configuration change, addition, or deletion to the scanned files in a policy's server group, you must make the change to the baseline server itself, propagate that change to all the servers in the group, and then re-run the baseline scan for that policy. To re-run a baseline scan, go to Policies > File Integrity Policies in the Halo Portal and locate the policy that you wish to re-baseline. If you need more detailed instructions, see Re-Baselining a Policy. Administer File Integrity Policies The Halo Portal helps you with day-to-day administration of your file integrity policies. Follow the links below if you need instructions for performing these tasks. Export or import a policy from or into the Halo Portal. Edit an existing policy from the Active File Integrity Policy list. 7

8 Retire an active policy from the Active File Integrity Policy list. Unretire (re-activate) a retired policy from the Retired File Integrity Policy list. Use the File Integrity Monitoring API You can use the CloudPassage API to automate file integrity monitoring or build its capabilities into your own security tools. The API includes the following file integrity modules and functions: File Integrity Policies API. Allows you to list all policies, get the details of a single policy, create a policy, update a policy, and delete a policy. File Integrity Policy Baselines API. Allows you to list all baselines for a policy, list a single baseline, create a baseline (run a baseline scan), delete a baseline, and request a re-baseline (re-run a baseline scan). Assign a file integrity policy. (In the Server Groups API) Allows you to assign one or more file integrity policies to a server group. File integrity events added to Events API. File integrity events are now included in the set of security events that you can retrieve from the Halo database. See the CloudPassage API Programmer Guide for details. Appendix: Task Details This section contains detailed, step-by-step instructions for the tasks described earlier in this document. You can refer to these instructions if you need additional information about a task. Specifying File Integrity Monitoring Settings To prevent automatic file integrity scanning, you can disable it. When it is enabled, you can set the scanning frequency. In Halo Portal, Navigate to Settings > File Integrity Monitoring. 8

9 On the File Integrity Monitoring Settings page, make any of these changes: Enable or disable automatic file integrity scans. (Default = enabled.) Select or modify the scanning frequency. (Default = daily; highest frequency = hourly.) Note: Depending on the number and size of the targets in your policy, running a monitoring scan on all the servers in a server group may take some time. Specifying a high scanning frequency for a large group might impact the performance of your servers. Leave the Execute scan on daemon's start checkbox selected if you want each server to be scanned immediately when it comes on line. If you clear the checkbox, the server might not be scanned for as much as a full day, depending on the scan frequency you have selected. Click Save to commit your changes. Cloning a Policy Template The fastest way to create a file integrity policy is to clone an existing policy or policy template. Halo provides the following default templates for cloning into file integrity policies: Monitor Privilege Escalation (Linux). Detects changes to files that are commonly modified by attackers to raise privileges or maintain raised privileges. Monitor Changes to Files with SETUID. Detects changes to common files whose setuid permissions bit is set. These files are favorites for attackers to modify in order to gain elevated privileges. You can also clone any file integrity policy, such as one you have previously created. To clone a policy template: 1. Go to Policies > File Integrity Policies and click Policy Templates. 2. On the File Integrity Policy Templates page, locate the template that you want to clone. 3. In the line for that template, select Clone from the Actions drop-down menu. The Add New File Integrity Policy page opens, with the policy name shown as TemplateName (copy), and with all of the content of the template, including its targets, filled in. 4. You can immediately save the template as a policy, or you can edit it change its name, add or remove targets, and so on and then save it. The cloned template now appears as a policy like any other on the File Integrity Policies page. To clone an existing policy: You can clone any existing policy and use it as the basis for creating another policy: 1. Go to Policies > File Integrity Policies and locate the policy that you want to clone. 2. Select Clone from the Actions drop-down menu for that policy. The Add New File Integrity Policy page opens, with the policy name shown as ExistingPolicyName (copy), and with all of the content of the existing policy, including its targets, filled in. 3. Edit the policy as desired, then save it. The cloned policy now appears on the File Integrity Policies page. 9

10 Creating a File Integrity Policy To create a new file integrity policy from scratch: 1. Navigate to Policies > File Integrity Policies to display the active File Integrity Policies list. 2. Click Add New File Integrity Policy. The Add New File Integrity Policy page appears. 3. Give the policy and name and optionally add a description. 4. In the Target(s) table, enter paths to one or more target files or directories that should be monitored; see Specifying Targets, below. 5. For each target, specify values for its flags; see Configuring the Targets, below. 6. When you are finished, click Save. The policy appears on its own page, along with a caution that the policy will remain inactive until you perform a baseline scan. 7. Click Baseline to run a baseline scan immediately: see Specifying a Baseline Server and Running a Baseline Scan, below. 8. Click Back to return to the File Integrity Policies list. Note: If you do not perform a baseline scan at this time, you can do it later by returning to the File Integrity Policies list, clicking Actions in the row for this policy, and selecting Baseline. 10

11 Specifying Targets A file integrity policy includes a list of target objects to be monitored for changes. When creating or editing a policy, use the Add Target link or the Delete icon ( ) to add or remove targets. Note also that you can optionally provide a description for each target. The following are the kinds of target objects you can specify, and the kinds of changes to each that a scan can detect. File type Added/Deleted Content Metadata Target path Text or binary file Yes Yes Yes Directory Yes Yes Symbolic link Yes Yes Yes Device/special file Yes Yes Note that for devices and special files (such as named pipes), only additions, deletions, and metadata changes are detected. For symlinks, changes to the target specification are also detected although changes made to the target file itself are not detected. Here are some examples of targets: Individual binary or text files. For example: /vmlinux /usr/sbin/httpd /etc/passwd Directories and their top-level objects (non-recursive scan). For example: /bin (all objects at top level of the /bin directory) /etc (all objects at the top level of / etc) Directories and all subdirectories and other objects within them (recursive scan). For example: /opt [recursive] (all objects, if any, within the /opt directory) /usr [recursive] (all objects in / usr) When Halo performs a baseline scan using the target expressions in the policy, it creates a checksum (signature) for each text or binary file and records it, along with the directory in which the file was found. For files and for all other scanned objects, Halo records values for the following metadata: user owner group owner file permissions ctime mtime Subsequent scans will then detect whether the content of any of the files has been altered, whether any object has been deleted from or added to any monitored directory, and whether any critical metadata (owners or permissions) has changed. Any of those changes are reported as scan results and as security events. Limitations on targets and scans Halo cannot scan more than 10,000 files per server, and it does not analyze individual files of 1 GB or larger. 11

12 Halo will not scan a target that is the directory /proc or any of its contents. CloudPassage recommends that you do not scan files that change often, such as log files, active database data files, and files. Configuring the Targets Every target in a file integrity policy has three associated flags that control recursion and event-related features: Recurse. Select or clear the checkbox to enable or disable recursive scanning of a directory target. A recursive scan analyzes all individual files and subdirectories at all levels within the target directory (unless you have defined exclusions for the target). A non-recursive scan analyzes only the files at the top level of the directory. (Default = disabled.) Flag critical. By default, a change to any target object is logged as a non-critical security event. Select this checkbox to specify that changes detected in this target are to be considered critical security events. Critical events are flagged with a special icon on the Security Events History page and you can sort them to appear at the top of the list. Generate an alert. Select this checkbox to specify that, if any changes are detected in this target, an notification should be sent to the users specified in the alert profile(s) of the server group to which this policy is assigned. (Default = disabled.) Hint: Because a scan group can have more than one alert profile, you can for example configure Halo to send critical events to a different set of administrators than non-critical events. Creating Exclusions If a target in your policy is a directory, by default Halo scans all files within that directory (and all subdirectories, if the Recurse checkbox is selected). You can exclude specific subdirectories, files, or sets of files from scanning by defining one or more exclusions for the target. An exclusion is a string pattern that is matched against the file paths of any elements within the target. To avoid scanning a specific file or directory, you specify its name as the exclusion. For example, to avoid scanning the file install.log within the target directory, specify install.log as an exclusion. An exclusion can contain wildcards, allowing you to exclude groups or classes of files and subdirectories. The supported wildcards are * (which matches zero or more consecutive characters) and? (which matches any one character). For example, to avoid scanning log files anywhere within the target directory, you could specify *.log as an exclusion. To add an exclusion to your file integrity policy, click the Add Exclusion link for the target directory, then enter a string or pattern representing the exclusion. You can add any number of exclusions to a target. 12

13 Specifying a Baseline Server and Running a Baseline Scan Before you can use a file integrity policy or assign it to a server group, you need to run a baseline scan on it. To do that, you need to assign a baseline server to the policy. Also, you will need to re-run a baseline scan whenever you make changes to the baseline server's target objects, or the policy that the baseline server is assigned to. A baseline server represents the golden master the canonical, correctly configured, clean system of the server group that you will assign the policy to. The baseline server could be one of the servers in that server group, or it could be a server set up solely as a template for the correct configuration of that type of server. The baseline scan is run only on the baseline server; subsequent monitoring scans are run on all the servers of the policy's server group. Therefore, the structure and content of all servers in the group should in general be identical to the baseline server at least for the specific file targets defined in the policy. (Exceptions to this are possible; see Using Multiple Baselines.) Immediately after saving a new file integrity policy or saving changes to an existing one, you are prompted to request a baseline scan. You can do it then, or you can later navigate to the File Integrity Policies list and select that policy. Then do this: 1. Click the Add Baseline button (if you are on the File Integrity Policy page), or choose Baseline from the Action dropdown list in the line for that policy (if you are on the File Integrity Policies list). 2. In the Select Baseline Server dialog box, use the dropdown list to choose the server that you want as the baseline. All of your currently online servers that have an installed Halo Daemon appear in the list. 13

14 Select the lifetime of the baseline scan (the number of days before it expires), and optionally add a comment about this baseline server. 3. Click Request Baseline to start the baseline scan. Note: Depending on the number and size of the targets in your policy, running a baseline scan can take several minutes or longer. When the scan is finished, a "File Integrity baseline" event appears on the Security Events History page, and information about the scan appears in the Baselines area of the File Integrity Policy page: Once the baseline scan is complete and shows a status of Active, you can assign the policy to a server group and start running file integrity scans. Displaying Baseline Reports Every time you run a baseline scan, Halo generates a report listing all of the target elements that were scanned on the baseline server. You can access that report at any time, to verify that your file integrity policy correctly specifies all the targets that you want to scan, and that your baseline server contains all of those targets. 1. To view a baseline report, click Actions for a given baseline server in the Baseline area of the File Integrity Policy page. 2. Select Details from the drop-down list. The File Integrity Baseline Results page appears, displaying for each top-level target in your policy a line of information for each individual scanned element or sub-element of that target. The information includes the full path and type (directory, file, or link) of the element, plus its metadata and its cryptographic signature (or target value, if it is a link). 14

15 The report includes one table for each top-level directory specified in the policy. For example, if the policy contains target paths starting with /bin, /etc, and /usr, the report will include three tables of scanned elements. 3. Examine the pathnames and metadata in the report to satisfy yourself that the file integrity policy specifies the appropriate elements for ensuring the integrity of critical files, and that it does not waste time scanning unimportant elements. If necessary, refine the policy by modifying targets and exclusions. Using Multiple Baselines In some situations a server group consists of servers that are similar but not in all cases identical. For example, patch levels or application versions might vary slightly among the servers. To help you handle that situation without fragmenting your server groups, Halo allows you to define several baseline servers for a single group. The baseline servers together must cover all acceptable configurations of the group's servers. When you run a file integrity scan on a server group with multiple baselines, each target object's signature and metadata are compared with the signatures and metadata of that object on each of the baseline servers and if a match occurs with any of them, the target rule is matched. Specifically: For a changed object, if none of the baselines matches the target object, it is considered a violation and a security event is triggered. For a deleted object, if all of the baselines contain the target object and the scanned server does not, it is considered a violation and a security event is triggered. For an added object, if none of the baselines contains the target object and the scanned server does, it is considered a violation and a security event is triggered. Specifying additional baseline servers for a file integrity policy is as simple as specifying the first one. On the File Integrity Policy page, click Add Baseline, choose an expiration time, and select the server to be the baseline. After you click Request Baseline to perform the baseline scan, the new server appears in the policy's list of baseline servers. 15

16 If you make any changes to your file integrity policy, all baselines in effect at that time become invalid. You will need to re-baseline all invalid baseline servers before you will be able to run a file integrity scan with that policy. Assigning a Policy to a Server Group You need to assign your file integrity policy to a server group before you can use it. Note that a policy can apply to more than one server group, and a server group can have more than one policy. 1. In the Halo Portal, display any server view in the Dashboard. For example, navigate to Servers > File Integrity Monitoring. 2. In the list of server groups, click the name of the group to assign the policy to, then click Edit Details below the group name. 3. In the Edit Group Details dialog box, Select the policy's name from the File Integrity Policies dropdown list. The policy is added to the group. (You may also add other file integrity policies to the group.) 4. Click Save to commit your assignment and return to the server view. Manually Running a Monitoring Scan You can at any time manually initiate a monitoring scan of your server group. If you do not want to wait for the next scheduled scan, do this: 1. Display a server view in the Halo Portal. For example, navigate to Servers > File Integrity. 2. In the list of server groups, click the name of the group to be scanned. A list of the servers in that group appears in the panel to the right. 3. Use the checkboxes to select any or all of the servers in the group. 4. Click Actions at the top of the panel and choose Launch Scan from the drop-down list. The scan starts on each server in the group when the server's Halo Daemon makes its next heartbeat contact 16

17 with the Halo Grid. Viewing Scan Results Halo records all policy violations (changes to specified target files and directories) that it detects during monitoring scans. You can view those violations either as (1) scan results on an individual server's File Integrity page, or (2) security events on the Halo Portal's Security Events History page. Viewing Violations as Scan Results 1. On the Halo Dashboard page, click the Integrity icon ( ) and select a server group containing the server whose file integrity scan results you want to view. 2. Click the name of a server to view that server's File Integrity page, which lists and describes the violations from its most recent file integrity scan. See Viewing the Details of a Violation for a full description of what each violation contains. See Acting on a Violation for suggested remediation steps to take. Viewing Violations as Security Events 1. Navigate to the Security Events History page, at Servers > Security Events History. 2. Filter the display as necessary: Specify one or all server groups, and one or all individual servers within your specified group. Specify a date range for the events. 17

18 Choose one or more event types. To see only file integrity-related events, choose among Object added, Object missing, and Object signature changed. Specify whether you want to see only critical, only non-critical, or all events. 3. Click Filter to display the filtered list. You can sort the resulting list of events by criticality, creation date, type, server group, and server, to display the events of most interest to you toward the top of the list. See Viewing the Details of a Violation for a full description of what each event contains. See Acting on a Violation for suggested remediation steps to take. Viewing the Details of a Violation Each violation on the scan results page (or event on the Security Events history page) displays the following information: a red icon if the event is critical; an indication of when the event occurred (for example, "5 days ago"), the exact nature of the event (for example, "Object missing"), the target file involved, the name and IP address of the server on which it occurred, and the name of the policy that was violated. (Events on the Security Events History page also display the name of the server's server group and include a link to the server's Server Summary page.) The policy name is displayed as "(source: PolicyName)" and is a link; click it to display the content of that policy so that you can inspect its details. For a given violation or event, click More details to view both the baseline (original) metadata and current metadata for the file. 18

19 Halo reports the following metadata items for each scanned file: owner username, owner group name, file permissions, cryptographic signature (final 8 digits of the SHA-256 hash), ctime (the last time the file was written to, or any properties or metadata were changed), and mtime (the last time the file was written to). Any file signature or critical metadata value that does not match the baseline is highlighted in red. Changes to ctime or mtime are not considered critical; if ctime or mtime do not match the baseline but the other metadata and the signature do match, no event is created. The details drop-down also includes a link to the Server Summary page of the baseline server used for the most recent baseline scan of this server group. Acting on a Violation Acting on a file integrity violation or event means both (1) verifying the event's validity and performing any required remediation on the file involved, and (2) addressing the status and visibility of the event in the Halo Portal. If a violation requires your action, take these steps: 1. Access the server and file in question to verify that the file has been modified, or is missing or is an unauthorized addition. Note the exact nature of any changes that have been made to its content. 2. Contact the server owner to verify that changes to the file are not authorized. If the change was unauthorized, you may want to launch a forensic investigation of the server. 3. Ensure that the questionable file is repaired, replaced, removed, or ignored, according to your assessment of its risk. 4. Address how the Halo Portal should handle the event. Take one of these actions: Do nothing, if the security event was valid and you have restored (or soon expect to restore) the server's proper, baseline-compliant configuration. Make an exception of the event for 1 to any number of days (or "Never"), so that it will not appear in future scan results. (Do this if you expect to address the issue, but cannot at the moment.) See Specifying Exceptions. Create an exclusion in the policy target that includes the event, so that it will not be scanned in the future. (Do this if the file or directory is within a valid target directory but should not itself be scanned for example, if it naturally changes often.) See Creating Exclusions. Delete the target from the policy that generated the event. (Do this if you determine that a change to the target is not a valid security event for your cloud installation.) See To delete a file integrity target. 5. If your remediation has restored the file or directory involved to its baseline state, no further action is needed to restore file integrity. However, you may wish to take other protective actions in Halo, such as increasing firewall or configuration security, or identifying software vulnerabilities. 19

20 6. If your remediation has left the file involved in a changed state from its baseline, you must make identical alterations to all other servers in the group, and to the baseline server itself, and then rebaseline the policy for that server group. To delete a file integrity target: 1. Open the policy's File Integrity Policy page, by navigating to Policies > File Integrity Policies and clicking the name of the policy. (Alternatively, click the policy-name link in the violation description in the server scan results or on the Security Events History page.) 2. Click the Delete icon ( ) for each target that you want to remove from the policy. 3. Re-run a baseline scan of the policy. Events and any associated alerts will no longer be generated for those targets. If you want to restore any of the targets later, edit the policy and add them as new targets. Specifying Exceptions When addressing file integrity scan results or events, you may decide not to act on (remediate) a particular event at this time. If you do not wish to see the event repeated in future scans, you can classify it as an exception, which means that it will not appear in future scan results for a specified period of time. Exceptions are useful for issues that you intend to correct eventually, but you would rather not be distracted by them until you have addressed more pressing file integrity issues. To create a file integrity exception: 1. On the Halo Dashboard, click the Integrity icon ( ), select a server group, and click the name of a server. Or, navigate to the Security Events History page and filter for file integrity events. 2. In the list of violations or events, click Create Exception in the line for an event that you no longer want to see in scan results. (Or, select the checkboxes for one or more events, and then click Create Exception at the top of the page.) The Add Exception dialog box opens. 20