QualysGuard Tips and Techniques Policy Compliance: File Integrity Monitoring

Transcription

1 QualysGuard Tips and Techniques Policy Compliance: File Integrity Monitoring January 21, 2013 This document describes File Integrity Monitoring (FIM), a benefit of QualysGuard Policy Compliance. About File Integrity Monitoring What is File Integrity Monitoring? File Integrity Monitoring (FIM) is a key part of comprehensive IT security and compliance initiatives in detecting unauthorized changes to critical files by monitoring those files for change over time. In fact, regulatory and industry mandates and best practices may require File Integrity Monitoring such as PCI DSS Section 11.5 or ITIL Change Management Process. Increases in sampling requirements for IT audits necessitate the automation of many processes such as file integrity monitoring. Additionally, use of file integrity monitoring can be used to confirm successful completion of other IT processes such as patch deployment. How does Automated File Integrity Monitoring work? Automated File Integrity Monitoring works by leveraging software automation in comparing file attributes like file size and/or hash values (MD5, SHA-1, and SHA-256) over different points in time. This process is designed to ensure that critical or sensitive static files have not been modified or compromised. Due to system resources required, it is not feasible to monitor every file on an information asset so usually a subset of files is specified for monitoring. Some system files change frequently in normal system operation so care should be used in selecting files for monitoring that do not change frequently to avoid creating excessive reporting and alert volume. Traditionally, a baseline is made of existing files and then an automated process periodically rechecks the file attributes and confirms that the file continues to exist in the same state as indicated by the original baseline. This approach assumes that the initial file state is acceptable so care must be taken to ensure the original file attributes are valid. How does Qualys provide Automated File Integrity Monitoring to customers? QualysGuard Policy Compliance enables a customer to monitor selected files for modification on a userdefined scan schedule using user defined controls (UDCs). Customers simply create custom controls to monitor the required files during compliance scanning. QualysGuard s File Integrity Monitoring functionality is provided in an agent-less fashion using authenticated access so no additional software deployment is needed. QualysGuard File Integrity Monitoring (FIM) is designed to allow customers to build a policy of expected known good file hashes across their environment like DLL s or files that are consistent from system to system. Qualys also allows customers to select hash types of MD5, SHA-1, or SHA-256 for either UNIX or Windows systems. Copyright by Qualys, Inc. All Rights Reserved. 1

2 In the Qualys model, authentication is used to access file attribute and hash data for monitored files. The compliance scan actually makes a copy of the target file on the scanner and uses scanner resident functionality to calculate the hash value. This approach has greater integrity of results rather than depending on functionality (such as MD5) from the scanned operating system which might have been tampered with and allows Qualys customers to do more than just MD5 or SHA-1 hashes as we also support SHA-256. How often can I scan for file integrity? With QualysGuard File Integrity Monitoring, periodicity of reporting status is measured in how often compliance scans are scheduled with the file integrity option checked. This schedule is set by the customer so days or weeks may occur between scan runs depending on the customer s specification. This approach is designed to be low maintenance and is a departure from the traditional agent-based method that uses a permanent piece of local code that must be deployed and maintained to be visible to the monitoring system. QualysGuard Policy Compliance is designed to be a scalable solution that does not rely on agents to enable customers to perform host auditing such as FIM reporting for IT audit purposes across the environment. Can I use Qualys File Integrity as well as an agent-based approach? The Qualys FIM model can be considered very complimentary to traditional agent-based file integrity monitoring approaches since an agent is not required and new systems added the network can be scanned if a third-party agent is not installed. This is very useful in dynamic environments where systems may have been introduced to production but have not yet had an agent deployed. Qualys can be used to scan those systems until the other applications have been deployed. Since the FIM functionality is part of QualysGuard Policy Compliance, it provides a checks and balances role as well. You may find a registry entry that indicates a system is patched but find that the DLL s are not patched as expected. Also, there have been cases where security patches or software updates have broken agent communication in other products; in this case, QualysGuard can be used to scan for file integrity until communications have been restored in the agent-based system. QualysGuard Tips and Techniques 2

3 Qualys File Integrity Monitoring Process Below is a step-by-step process on how a FIM control can be created and tested for a Windows 2003 system in a QualysGuard subscription. The process is identical for UNIX systems as well. This document assumes the reader is already familiar with navigating the QualysGuard application. 1) Ensure FIM is enabled in the compliance profile used to scan an asset group (it is disabled by default). 2) Go to the Controls list and select New > Control. 3) In the list of Windows control types, find File Integrity Check and click the Get Started button. QualysGuard Tips and Techniques 3

4 4) Fill in the form for control statement, category, etc. and click the Add Parameters button. Note: A good best practice is to use a naming convention for User Defined Controls. In this case, UDC: is placed at the beginning of the control statement. This provides a useful string in key word searches when creating policies. 5) In the Scan Parameters window, enter the path and filename for the file you wish to monitor. Then specify the hash type (MD5, SHA-1, or SHA-256) and enter a description of the file, hash type, etc. Note: Four system variables are also supported on Windows, these are: %SystemRoot% %windir% %ProgramFiles% %CommonProgramFiles% QualysGuard Tips and Techniques 4

5 6) Now scroll down to the Control Technologies section. Select the applicable technology and enter text on why you are including this file. Note: Initial FIM control creation is basically a two-step process: Enter the default control parameter value as a wild card (.*), then, after the compliance FIM scan, the baseline hash value will be provided in the compliance report. If valid, replace the wild card with the hash value from the compliance report in the control parameter field to complete the control creation process. 7) Save the control. The control is added to the controls list. Note: Each user defined control is given a CID of or greater when saved. This is useful if the controls list is sorted by CID as UDCs are grouped together. 8) After the control has been saved successfully, it may be added to a policy. When in the policy editor, make sure to assign relevant asset groups to the new policy by going to Actions > Assign Assets. Leave the expected control value as a wild card (.*) to start. (After the first report is run, you will copy/paste the required hash into the value field to set the pass/fail criteria for the control.) QualysGuard Tips and Techniques 5

6 9) Ensure that a compliance scan has completed successfully after the new FIM controls have been created so that data for the newly monitored files is included for FIM reporting (remember that FIM needs to be enabled in the compliance profile for the scan to pick up data). Note: During UDC creation, a good best practice is to use small policies and asset groups during testing. This reduces the amount of time needed for scanning and scrolling through the web browser during policy and control creation. Once UDCs are created successfully, they can be added to production policies that can be greater length. Also, use of the Relaunch option (under Quick Actions) can be useful in rerunning scans after new UDCs are created. Also, after UDCs are created, a compliance scan must be run to gather the data specified by the UDC. Qualys decouples reporting from scanning, so when a compliance scan occurs, it gathers the information needed to report on all known controls for the technology. Policies are only used for reporting. In actuality, a compliance scan can be run as soon as the FIM UDCs are created and before they are inserted into a policy. This method allows for more flexible compliance reporting while reducing the scanning requirements normally associated with producing compliance reports. QualysGuard Tips and Techniques 6

7 10) Create a report template with extended evidence selected to show additional file attribute data such as file size. (This option is selected by default in new policy templates.) 11) Generate a compliance template report using the new policy and control. Scroll down to the Detailed Results section to see the actual value returned for the control. Note: In this example, the SHA-256 HASH has been generated. Since a wildcard was used for the expected value, the control passed. QualysGuard Tips and Techniques 7

8 12) Copy and paste the HASH value into the expected value field for the control in the policy if the HASH value is acceptable. Note: Confirm that there are no spaces in the HASH value. There is a common space issue that occurs when the HTML view is used to copy the HASH value for the compliance reports in UDC creation (See Appendix A). 13) Rerun the compliance report and confirm the expected value matches the actual value. Note: On initial control creation, the control should pass at this point because a failed control would indicate that recently base-lined file has changed. But, if you get a failed control on this initial creation phase, a space may have been inserted into the HASH value used in the control parameter if the HTML compliance report was used as the source of the HASH value. QualysGuard Tips and Techniques 8

9 Conclusion At this point, the File Integrity UDC has been created and tested and it is available to be placed into a production policy. Customers should decide on an appropriate scan schedule though the length of time varies greatly from organization to organization. Customers usually will implement different FIM scan schedules for different groups of assets depending on criticality and maintenance windows. Appendix A: Correcting A Common Space Issue If the initial control failed, the issue may be a rogue space was inserted in the control parameter during the copy/paste process. Below is an example of a control that failed due to this issue. Note: In the HTML view, there will be a space inserted in the HASH value due to a carriage return that is inserted in long strings. In the image above, the control failed because there was a space in the HASH value inserted into the control about the fiftieth character. Notepad can be used to see this more clearly as it may be difficult to detect in the compliance report font. To correct this issue, simply edit the policy and remove the space in the control parameter, resave the policy, and then rerun the compliance report. A rescan will not be necessary since the HASH information has already been gathered. QualysGuard Tips and Techniques 9

10 Appendix B: Additional Best Practices If extended evidence is selected in the report template, you can view other information such as file size and date last modified. PERL regular expressions may be used in the control parameter Default Value field. For example, use pipe ( ) to set OR values if there are a multiple HASH values that are acceptable. <HASH Value 1> <HASH Value 2> <HASH Value 3> Restricting the scan to a particular policy using the Scan by Policy option in the compliance profile enables customers to scan for only the FIM UDCs they create. This could be very useful as a spot check or to schedule FIM only scans on a separate schedule from the full configuration check scans. If the Dissolvable Agent has not been accepted for the subscription, the FIM process allows files up to 250KB to be targeted for FIM UDCs. We will make a copy on the scanner and establish the file hash on the scanner appliances. If the Dissolvable Agent has been accepted for the subscription (applicable for Windows), then file sizes can be bigger than 250KB but the hashing takes place on the scanned Windows system. A Manager can accept the Dissolvable Agent by going to Scans > Setup > Dissolvable Agent. Refer to the QualysGuard online help for more information on File Integrity Monitoring. QualysGuard Tips and Techniques 10

11 Appendix C: Common Questions Can I be alerted in real time as critical files are modified? No, QualysGuard is meant for an audit process rather than alerting process which would require an agent. Can I integrate QualysGuard File Integrity Policy with known good file databases that are available online? The HASH values from a known good files database can be copy/pasted into the control parameter field and used in policies. At this time, there is not an automatic feed from these databases. This concept is being reviewed but is not in the current release. Can I run configuration scans without FIM enabled? Yes, run a scan using compliance profiles that do not have file integrity selected. Does QualysGuard load an agent on target systems to perform file integrity? No, QualysGuard is performing FIM analysis without a local agent using authenticated access to monitored files. A copy of the file is actually made on the scanner so that a more secure HASH value may be calculated using MD-5, SHA-1, or SHA-256. Can I use a list of files in a single control? No, at this time, a unique UDC must be created for each file to be monitored. For instances where multiple HASH values are acceptable, the regular expression value pipe ( ) may be used. Is there a limit on the number of FIM UDCs I can create? There is not a limit imposed on the number of UDCs that may be created but some consideration should be given to the impact on scan time. A compliance scan can be run without FIM enabled but if selected, the number of FIM UDCs that exist in the library will have a direct impact on length of scan time required. Typical usage is between 1 and 200 monitored files. Impact on scan time will also be impacted by several variables such as network latency as well as available CPU and memory resources of target assets. Contact Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at QualysGuard Tips and Techniques 11