Complete. Simple. Affordable How to enable File Integrity Monitoring (FIM) AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.
TABLE OF CONTENTS INTRODUCTION... 3 PREREQUSITES... 3 CONFIGURING FILE AND REGISTRY INTEGRITY MONITORING... 3 SYSCHECK CONFIGURATION PARAMETERS... 3 CONFIGURING SYSCHECK... 5 SETTING DIFFERENT SYSCHECK FOR DIFFERENT SERVERS... 5 REFERENCE... 6 DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 2 of 6
INTRODUCTION This document provides some information on how to configure file integrity monitoring (FIM) on hosts with the host-based intrusion detection system (HIDS) agent installed. Integrity checking is an essential part of intrusion detection, which identifies changes in the integrity of the system. The HIDS agent does that by looking for changes in the MD5/SHA1 checksums of the key files in the system and in the Windows registry. PREREQUSITES Before it is possible to configure FIM, the HIDS agent need to be installed. There are agents available for Windows and Linux hosts. The following two links provide instructions on how to install and configure the HIDS agents: Deploying OSSEC agents to Linux Hosts Deploying HIDS Client to Windows Hosts CONFIGURING FILE AND REGISTRY INTEGRITY MONITORING Syscheck is the name of the integrity checking process inside OSSEC. It runs periodically to check if any configured file (or registry entry on Windows) has changed. SYSCHECK CONFIGURATION PARAMETERS The following table lists the parameters you can specify for syscheck from the AlienVault USM TM user interface: Parameters Meanings Default Values FREQUENCY (in seconds) Frequency that the syscheck is going to be executed (in seconds). 72000 (20 hours) 1 SCAN_DAY Day of the week to run the scans (can be in the format of Sunday, Saturday, Monday, etc) None ALERT NEW FILES Specifies if syscheck should alert on new files created. No 2 SCAN TIME Time to run the scans. None DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 3 of 6
Parameters Meanings Default Values AUTO IGNORE Specifies if syscheck will ignore files that change too often (after the third change) No 3 SCAN ON START Specifies if syscheck should do the first scan as soon as it is started. Yes WINDOWS REGISTRY ENTRIES MONITORED Add Windows registry entries to be monitored (Windows-only). HKEY_LOCAL_MACHINE\Security REGISTRY ENTRIES IGNORED List of registry entries to be ignored. HKEY_LOCAL_MACHINE\Security\Policy \Secrets FILES/ DIRECTORIES MONITORED Use this option to add files or directories to be monitored. %WINDIR%/system.ini REALTIME Use this option to enable real time/continuous monitoring on Linux (using the inotify system calls) and Windows systems No 4 REPORT CHANGES Report diffs of file changes. This is limited to text files and only works on Linux-like systems. DO NOT ENABLE THIS OPTION FOR WINDOWS SYSTEMS. Chk * The CHK (check) ALL option will eneble all the different checks. Check only the specific options if you want to do a subset. No No FILES/ DIRECTORIES IGNORED Use this option to remove files or directories to be monitored.log$.htm$.jpg$.png$.chm$.pnf$.evtx $ (regular expression syntax) DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 4 of 6
AlienVault Unified Security Management Solution 1. On a OSSEC server, the default frequency is 21600 seconds (6 hours). 2. In AlienVault version 4.15.1+, you can configure alerting on new files with these steps: 1) change ALERT NEW FILES to Yes; 2) specify the directory to be monitored; and 3) select/check CHK ALL for the directory. There is no need to select the REALTIME option. See note #4 below for details. 3. If AUTO IGNORE is set to No, you will receive alerts on each change no matter how many times it is changed. Unless you also have the REALTIME option checked, then the alert will stop after 3 times (same behavior as setting AUTO IGNORE to Yes). 4. The REALTIME option does not alert on new files created in real time. Instead the new files created will be alerted on when the regular file integrity schedule is run. Once it is picked up the file will then be monitored in near real time. CONFIGURING SYSCHECK To configure syscheck (after the agents are installed): 1. Navigate to Environment > Detection. Click on the AGENTS tab, then SYSCHECKS. 2. Configure the parameters according to your needs based on the table above, save your changes by pressing the corresponding SAVE button. 3. Click on the OSSEC CONTROL tab, restart the OSSEC service by clicking the RESTART button. SETTING DIFFERENT SYSCHECK FOR DIFFERENT SERVERS You can set up different syscheck for different servers by adding the configurations for each server to the agent.conf file manully, but you can do it via the user interface. To configure syscheck for different servers: 1. Navigate to Environment > Detection. Click on the AGENTS tab, then AGENT.CONF. By default, this page is blank. DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 5 of 6
2. Use a separate <agent_config> element for each server you need to configure. Use the name attribute to denote the name of the server. Specify the parameters for syscheck inside the <syscheck> element. For example: <agent_config name="ad2012"> <syscheck> <frequency>21600</frequency> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <scan_on_start>yes</scan_on_start> <directories check_all="yes">c:\temp</directories> </syscheck> </agent_config> <agent_config name="win2008"> <syscheck> <frequency>3600</frequency> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <scan_on_start>yes</scan_on_start> <directories check_all="yes">c:\topsecret</directories> </syscheck> </agent_config> 3. Save the entries by clicking the SAVE button. 4. Click on the SYSCHECKS tab. Notice that a dropdown menu appears towards the upper right with the name of the first server that you specified. Use the dropdown to select the server and customize the syscheck parameters accordingly. 5. Click on the OSSEC CONTROL tab, restart the OSSEC service by clicking the RESTART button. REFERENCE 1. Syscheck - OSSEC 2.8.1 documentation: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/index.html DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 6 of 6