File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known file state.
Endpoint Agent supports File integrity monitoring (FIM) for Linux and macOS using inotify and FSEvents and also for Windows but in a different fashion, using journals and therefore is only included in NTFS based systems. The daemon reads a list of files/directories from the EA configuration. The actions (and hashes when appropriate) to those selected files populate the file_events
and ntfs_journal_events
tables.
File integrity monitoring (FIM) will let the system administrator know what events are happening in the file system. Currently, it monitors modifications and file accesses, generating 5 types of events for Linux/macOS terminals and 32 for Windows terminals.
Configuration
To set up our Devo EA Manager for FIM we need to activate some flags to enable Endpoint Agent to retrieve FIM events and set the path/s that we are going to monitor with this utility.
This can be accomplished in two different ways:
Using the admin page in the EA Manager.
Modifying the inventory file and redeploying the
deam-packs
playbook.
Consider that on macOS, the osqueryd
agent (or Terminal.app
, if using osqueryi
) may need Full Disk Access permissions, in Security and Privacy settings.
Use admin page in EA Manager Web UI
Please be aware that modifying the osquery configuration via the WebUI, just applies to the actual config instance of EA Manager and does not replicate the change to the inventory file in the ansible playbook. This means that the changes in configuration done in the Web UI, need to be consolidated to the inventory file in the ansible playbooks before performing any new deployment in the ansible or applied changes will be overwritten.
Common steps
Log in to your Devo EA Manager administration console (
https://<devo_ea_manager_ip>:8080
)Once logged in, access the osquery configuration in
https://<DEAM_IP:8080>/
-> settings -> Global agent optionsHere, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot
We need to search for the following flags and set it as indicated within the corresponding configuration for each endpoint (or add it if does not exist):
enable_file_events: true
(for Linux and macOS endpoints)enable_ntfs_event_publisher: true
(for Windows endpoints)
Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running
SELECT name, value FROM osquery_flags
in your fleet.disable_events: false
(for Windows, Linux and macOS endpoints)disable_audit: false
(for Linux and macOS endpoints)
Once the configuration is updated, save the changes and wait to the agents to update the configuration.
**You can check if the configuration has been updated just by checking the “osquery_flags” table.Add the file_paths to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in options:
The following screenshots shows the configuration for Linux and Windows.
Linux |
Windows |
MacOS |
Finally, save the changes and wait to the agents to update the configuration.
Endpoints will refresh their configuration every X seconds according to the config_refresh
parameter. If the configuration is not refreshed automatically after the period has passed, you may need to restart the endpoints so the configuration takes place.
Using devo-ea-deployer
For a non-deployed environment, we just need to modify the inventory file before deploy the Devo EA Manager for adding the flags and the paths to monitor.
Locate the inventory file we used in our Devo EA Manager deployment.
Open it with your preferred text editor and add the following tags under the corresponding OS flag (in
vars
section) in your inventory fileenable_file_events: true
(only for Linux and macOS endpoints. Underdeam_fleet_config_agent_opts_nix
ordeam_fleet_config_agent_opts_darwin
flags for Linux or macOS respectively)
Linux:all: vars: deam_fleet_config_agent_opts_nix: enable_file_events: true
MacOS:
all: vars: deam_fleet_config_agent_opts_darwin: enable_file_events: true
enable_ntfs_event_publisher: true
(only for Windows endpoints. Underdeam_fleet_config_agent_opts_win
flag)all: vars: deam_fleet_config_agent_opts_win: enable_ntfs_event_publisher: true
Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running
SELECT name, value FROM osquery_flags
in your fleet.disable_audit: false
(only for Linux and macOS endpoints. Underdeam_fleet_config_agent_opts_nix
ordeam_fleet_config_agent_opts_darwin
flags for Linux or macOS respectively)disable_events: false
(for Windows, Linux and macOS endpoints. Can be placed under each specific OS flag or under the common one →deam_fleet_config_agent_opts
)
Add the
file_paths
to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in your inventory file:Linux:
all: vars: deam_fleet_config_agent_opts_nix: enable_file_events: true deam_fleet_config_file_paths_nix: homes: - /home/%% etc: - /etc/%
Windows:all: vars: deam_fleet_config_agent_opts_win: enable_ntfs_event_publisher: true deam_fleet_config_file_paths_win: documents: - 'C:\Users\vagrant\Documents' tmp: - 'C:\tmp\*'
MacOS:all: vars: deam_fleet_config_agent_opts_darwin: enable_file_events: true deam_fleet_config_file_paths_darwin: homes: - /home/%% etc: - /etc/%
If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent
playbook is run.
If you have an existing deployment:
Enable the virtual environment by running:
source "/opt/ansible-2.9/venv/bin/activate"
Run the
deam-packs
playbook from your deployer folder to apply the configuration:ansible-playbook -i inventories/<your_inventory_name>.yaml playbooks/deam-packs.yaml
Endpoints will refresh their configuration every X seconds according to the config_refresh
parameter. If the configuration is not refreshed automatically after the period has passed, you may need to restart the endpoints so the configuration takes place.
Sending to Devo
We need to configure a new pack with two new queries for sending the data to Devo.
In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button
We need to create 2 new queries with the following SQL code:
For Windows:SELECT *, "status.fim" as __devoSubTag FROM ntfs_journal_events;
For Linux/macOSSELECT *, "status.fim" as __devoSubTag FROM file_events;
Create and save the new queries with the name you wish.
Now, click on “Packs“ in the left menu and search for the “New Pack“ button.
Name it as you wish, select the hosts targets that are affected and save it.
Once saved, add the previously-created queries (adding the interval and the affected hosts for each query).
Save the changes.
Data access
By default, all uploaded content files will be ingested into Devo under box.devo_ea.status.fim
**This destination data structure can be configured to point at any my.app.*.* tag.
Help information
Configuration section (per endpoint type)
Linux |
macOS |
Windows |
Wildcards
To specify which files and directories you wish to monitor, you must use fnmatch-style, or filesystem globbing, patterns to represent the target paths. You may use standard wildcards *
/**
or SQL-style wildcards *%*
, as shown below.
%
: Match all files and folders for one level.%%
: Match all files and folders recursively.%abc
: Match all within-level ending in "abc".abc%
: Match all within-level starting with "abc".
Troubleshooting
You might experience some issues while working under Windows OS. To prevent this, make sure the files or folders under surveillance are created before Osquery is started.
Also under Windows OS, if a folder is watched, events will not only be generated for that folder and the files it contains, but also for its sub-folders and the files they contain.