How to enable File Integrity Monitoring (FIM)



Similar documents
How to send s triggered by events

Deploying HIDS Client to Windows Hosts

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Device Integration: Checkpoint Firewall-1

Monitoring VMware ESX Virtual Switches

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

User Management Guide

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

Assets, Groups & Networks

Device Integration: Citrix NetScaler

Device Integration: CyberGuard SG565

Suricata IDS. What is it and how to enable it

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

AlienVault Offline Key Activation

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

AlienVault Unified Security Management (USM) x. Configuring High Availability (HA)

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Device Integration: Cisco Wireless LAN Controller (WLC)

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

SYSTEM BACKUP AND RESTORE (AlienVault USM 4.8+)

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

The SIEM Evaluator s Guide

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

BusinessObjects Enterprise XI Release 2

Asset Management Guide

Setting Up a Backup Domain Controller

SQL Express to SQL Server Database Migration Goliath Performance Monitor v11.5

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

SQL Express to SQL Server Database Migration MonitorIT v10.5

Best Practice Configurations for OfficeScan 10.0

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

Monitor TemPageR 4E With PageR Enterprise

Security Assertion Markup Language (SAML) Site Manager Setup

Totally Internet Based Software. User Entry. Strategy Systems, Inc. PO Box 2136 Rogers, AR (479)

Specops Command. Installation Guide

SharpdeskTM R3.1. Installation Guide Version

SysAid Remote Discovery Tool

Application Note Room Alert

Knowledgebase Article

Cisco Unified Communications Manager SIP Trunk Configuration Guide

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Capture Pro Software FTP Server Output Format

AlienVault. Unified Security Management (USM) x Initial Setup Guide

Intrusion Detection in AlienVault

Process Document Campus Community: Create Communication Template. Document Generation Date 7/8/2009 Last Changed by Status

TROUBLESHOOTING INCORRECT REPORTING OF THE WHO CHANGED PARAMETER

Unified Security Management (USM) Asset Management Guide

How to backup with R1soft

How to Install CS OrthoTrac on a New Server and Copy the Data from the Old Server to the New Version 12 and higher

NetBackup Backup, Archive, and Restore Getting Started Guide

Cisco Unified Communications Manager 5.1 SIP Configuration Guide

Capture Pro Software FTP Server System Output

Configuring Situation Events in Action Manager for WebSphere Business Monitor Version 6.0

Cisco Unified Communications Manager SIP Trunk Configuration Guide for the VIP-821, VIP-822 and VIP-824

Distribution List Manager User s Manual

Best Practice Configurations for OfficeScan (OSCE) 10.6

Trend Micro KASEYA INTEGRATION GUIDE

To read more Linux Journal or start your subscription, please visit

Find the Who, What, Where and When of Your Active Directory

Monitoring Symantec Backup Server. eg Enterprise v6

5.6.2 Optional Lab: Restore Points in Windows Vista

Cisco Unified Communications Manager 7.1 SIP Configuration Guide

educ Office Remove & create new Outlook profile

USING SSL/TLS WITH TERMINAL EMULATION

PaperClip. em4 Cloud Client. Setup Guide

Coveo Platform 7.0. Microsoft Active Directory Connector Guide

Overview of Automated Processes

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Motorola TEAM WS M Configuring Asterisk PBX Integration

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

SYSLOG 1 Overview... 1 Syslog Events... 1 Syslog Logs... 4 Document Revision History... 5

Configuration Guide. Remote Backups How-To Guide. Overview

If the Domain Controller is running Windows Server 2003, it is strongly advised that the Group Policy Management tool is installed.

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

LabTech Integration Instructions

Creating IBM Cognos Controller Databases using Microsoft SQL Server

Monitoring Event Logs

Virtual Office Remote Installation Guide

TRAINING GUIDE. Timesheet Administration

Firewall Defaults and Some Basic Rules

Use the Active Directory Self Service Plus (ADSSP)

Verizon Anti-Spyware 1 Introduction

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

To create a new Campaign, click into the Marketing module. Then, click on Campaigns button.

Trend Micro PC-cillin Internet Security 2006

Active Directory Integration for Greentree

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

Installing Microsoft Exchange Integration for LifeSize Control

Accessing the Professional Development Plan (PDP) Evaluation Process Staff Evaluations Edit Professional Development Plan.

Trend Micro TM Worry-Free Business Security Services Integration with LabTech

L.E.A.P.S Electronic Freight Billing System Installation Guide

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Using Microsoft Internet Explorer 6 (Windows 2000/ Windows XP/ Windows Server 2003)

Windows 7 Hula POS Server Installation Guide

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

How To Manage Security On A Networked Computer System

Perform this procedure when you need to add a recurring payment option, or when you need to change or withdraw it.

Log Management Manual

Transcription:

Complete. Simple. Affordable How to enable File Integrity Monitoring (FIM) AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

TABLE OF CONTENTS INTRODUCTION... 3 PREREQUSITES... 3 CONFIGURING FILE AND REGISTRY INTEGRITY MONITORING... 3 SYSCHECK CONFIGURATION PARAMETERS... 3 CONFIGURING SYSCHECK... 5 SETTING DIFFERENT SYSCHECK FOR DIFFERENT SERVERS... 5 REFERENCE... 6 DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 2 of 6

INTRODUCTION This document provides some information on how to configure file integrity monitoring (FIM) on hosts with the host-based intrusion detection system (HIDS) agent installed. Integrity checking is an essential part of intrusion detection, which identifies changes in the integrity of the system. The HIDS agent does that by looking for changes in the MD5/SHA1 checksums of the key files in the system and in the Windows registry. PREREQUSITES Before it is possible to configure FIM, the HIDS agent need to be installed. There are agents available for Windows and Linux hosts. The following two links provide instructions on how to install and configure the HIDS agents: Deploying OSSEC agents to Linux Hosts Deploying HIDS Client to Windows Hosts CONFIGURING FILE AND REGISTRY INTEGRITY MONITORING Syscheck is the name of the integrity checking process inside OSSEC. It runs periodically to check if any configured file (or registry entry on Windows) has changed. SYSCHECK CONFIGURATION PARAMETERS The following table lists the parameters you can specify for syscheck from the AlienVault USM TM user interface: Parameters Meanings Default Values FREQUENCY (in seconds) Frequency that the syscheck is going to be executed (in seconds). 72000 (20 hours) 1 SCAN_DAY Day of the week to run the scans (can be in the format of Sunday, Saturday, Monday, etc) None ALERT NEW FILES Specifies if syscheck should alert on new files created. No 2 SCAN TIME Time to run the scans. None DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 3 of 6

Parameters Meanings Default Values AUTO IGNORE Specifies if syscheck will ignore files that change too often (after the third change) No 3 SCAN ON START Specifies if syscheck should do the first scan as soon as it is started. Yes WINDOWS REGISTRY ENTRIES MONITORED Add Windows registry entries to be monitored (Windows-only). HKEY_LOCAL_MACHINE\Security REGISTRY ENTRIES IGNORED List of registry entries to be ignored. HKEY_LOCAL_MACHINE\Security\Policy \Secrets FILES/ DIRECTORIES MONITORED Use this option to add files or directories to be monitored. %WINDIR%/system.ini REALTIME Use this option to enable real time/continuous monitoring on Linux (using the inotify system calls) and Windows systems No 4 REPORT CHANGES Report diffs of file changes. This is limited to text files and only works on Linux-like systems. DO NOT ENABLE THIS OPTION FOR WINDOWS SYSTEMS. Chk * The CHK (check) ALL option will eneble all the different checks. Check only the specific options if you want to do a subset. No No FILES/ DIRECTORIES IGNORED Use this option to remove files or directories to be monitored.log$.htm$.jpg$.png$.chm$.pnf$.evtx $ (regular expression syntax) DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 4 of 6

AlienVault Unified Security Management Solution 1. On a OSSEC server, the default frequency is 21600 seconds (6 hours). 2. In AlienVault version 4.15.1+, you can configure alerting on new files with these steps: 1) change ALERT NEW FILES to Yes; 2) specify the directory to be monitored; and 3) select/check CHK ALL for the directory. There is no need to select the REALTIME option. See note #4 below for details. 3. If AUTO IGNORE is set to No, you will receive alerts on each change no matter how many times it is changed. Unless you also have the REALTIME option checked, then the alert will stop after 3 times (same behavior as setting AUTO IGNORE to Yes). 4. The REALTIME option does not alert on new files created in real time. Instead the new files created will be alerted on when the regular file integrity schedule is run. Once it is picked up the file will then be monitored in near real time. CONFIGURING SYSCHECK To configure syscheck (after the agents are installed): 1. Navigate to Environment > Detection. Click on the AGENTS tab, then SYSCHECKS. 2. Configure the parameters according to your needs based on the table above, save your changes by pressing the corresponding SAVE button. 3. Click on the OSSEC CONTROL tab, restart the OSSEC service by clicking the RESTART button. SETTING DIFFERENT SYSCHECK FOR DIFFERENT SERVERS You can set up different syscheck for different servers by adding the configurations for each server to the agent.conf file manully, but you can do it via the user interface. To configure syscheck for different servers: 1. Navigate to Environment > Detection. Click on the AGENTS tab, then AGENT.CONF. By default, this page is blank. DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 5 of 6

2. Use a separate <agent_config> element for each server you need to configure. Use the name attribute to denote the name of the server. Specify the parameters for syscheck inside the <syscheck> element. For example: <agent_config name="ad2012"> <syscheck> <frequency>21600</frequency> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <scan_on_start>yes</scan_on_start> <directories check_all="yes">c:\temp</directories> </syscheck> </agent_config> <agent_config name="win2008"> <syscheck> <frequency>3600</frequency> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <scan_on_start>yes</scan_on_start> <directories check_all="yes">c:\topsecret</directories> </syscheck> </agent_config> 3. Save the entries by clicking the SAVE button. 4. Click on the SYSCHECKS tab. Notice that a dropdown menu appears towards the upper right with the name of the first server that you specified. Use the dropdown to select the server and customize the syscheck parameters accordingly. 5. Click on the OSSEC CONTROL tab, restart the OSSEC service by clicking the RESTART button. REFERENCE 1. Syscheck - OSSEC 2.8.1 documentation: http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/index.html DC-00161 Edition 00 Copyright 2015 AlienVault. All rights reserved. Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information