/
Enable file integrity monitoring in the Endpoint Agent
Document toolboxDocument toolbox

Enable file integrity monitoring in the Endpoint Agent

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jun 15, 2022

Introduction

File integrity monitoring, or FIM, is an internal control or process that validates the integrity of both operating-system and application-software files by using a verification method between the current file state and a known file state.

Endpoint Agent supports file integrity monitoring for Linux and macOS using inotify and FSEvents. In Windows it uses journals and is therefore only included in NTFS-based systems. The daemon reads a list of files or directories from the Universal Agent configuration. The actions—and hashes, when appropriate—to those selected files subsequently populate the file_events and ntfs_journal_events tables.

File integrity monitoring lets the system administrator know what events are happening in the file system. It currently monitors modifications and file accesses, generating five types of events for Linux and macOS terminals, and 32 for Windows terminals.

Configuration

To set up your Devo Endpoint Agent Manager for file integrity monitoring, you must activate some flags to allow Endpoint Agent to retrieve file integrity monitoring events and set the paths that you want it to monitor. 

This is accomplished in two different ways:

  • Using the admin page in the Endpoint Agent Manager.
  • Modifying the file options.yaml and redeploying the duam-packs playbook.

Use admin page in Endpoint Agent Manager Web UI

Modifying the osquery configuration via the Web UI only applies to the actual configuration instance of the Endpoint Agent Manager, and the change aren't replicated in the options.yaml file in the ansible playbook. The changes in configuration done in the Web UI have to be consolidated in the options.yaml file in the ansible playbook before performing any new deployment in the ansible. Failure to do so means the applied changes are overwritten.

Common steps

  1. Log into your Devo Endpoint Agent Manager administration console (https://<devo_ea_manager_ip>:8080).
  2. Once logged in, go to the osquery configuration page by adding /admin/osquery to the URL (https://<devo_ea_manager_ip>:8080/admin/osquery).
  3. You then see a text editor with the loaded Devo Endpoint Agent Manager options.yaml file as seen in the following screenshot:
  4. You have to search for the following flags and set them as indicated within the corresponding configuration for each endpoint (or add them if they don't exist):
  5. The below flags are required for file integrity monitoring but are already enabled by default in the Endpoint Agent Manager deployment. If you haven't made any specific changes to your deployment, skip this step. Check the status of these flags by running SELECT name, value FROM osquery_flags in your fleet:
    - disable_events: false (for Windows, Linux, and macOS endpoints)
    - disable_audit: false (for Linux and macOS endpoints)

  6. Once the configuration is updated, click on the Update options button and wait for agents to update the configuration.

    You can check if the configuration has been updated by checking the osquery_flags table.
  7. Add the file_paths to the data you want to monitor in the corresponding configuration section (Linux, macOS, and Windows) in options:
You can check the section below to learn more about how to use wildcards for the paths. Be aware that including a large amount of files to monitor will increase the resources used by the agent.


Linux

Windows


 

Click on the Update options button and wait for the agents to update the configuration. 

Endpoints refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, restart the endpoints so the configuration takes place.

Using ansible roles

For a non-deployed environment, you only have to modify the options.yaml before deploying the Devo Endpoint Agent Manager for adding the flags and the paths to monitor.

  1. Search for options.yaml file in the Devo Endpoint Agent Manager installer (usually in playbooks/roles/deam-packs/files/devo-packs/options.yaml).
  2. Open it with your preferred text editor and add the following tags to the correspondent sections:
    a. enable_file_events: true (for Linux and macOS endpoints).
    b. enable_ntfs_event_publisher: true (for Windows endpoints).
  3. The below flags are required for file integrity monitoring but are already enabled by default in the Endpoint Agent Manager deployment. If you haven't made any specific change to your deployment, skip this step. Check the status of these flags by running SELECT name, value FROM osquery_flags in your fleet:
    a. disable_audit: false (for Linux and macOS endpoints).
    b. disable_events: false (for Windows, Linux and macOS endpoints).
  4. Add the file_paths to the data you want to monitor in the corresponding configuration section (Linux, macOS and Windows):

Linux

Windows



You can check the section below to learn more on how use wildcards for the paths. Be aware that including a large amount of files to monitor will increase the resources used by the agent.


If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent is run.

If you have an existing deployment, run the deam-packs playbook from your deployer folder to apply the configuration: ansible-playbook -i inventories/<your_inventory_name>.yaml playbooks/deam-packs.yaml

Endpoints refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, restart the endpoints so the configuration takes place.

Sending to Devo

You have to configure a new pack with two new queries to send the data to Devo.

  1. In the Devo Endpoint Agent Manager, click on Queries in the left menu and search for the Create New Query button:

  2. Create two new queries with the following SQL code:
    For Windows:

    SELECT *, "status.fim" as __devoSubTag FROM ntfs_journal_events;

    For Linux/macOS

    SELECT *, "status.fim" as __devoSubTag FROM file_events;

  3. Give it a name. Select the corresponding hosts group for each query and save it.

  4. Click on Packs in the left menu and search for the New Pack button.

  5. Give it a name and select the hosts targets that are affected and save it.

  6. Once saved, add the previously created queries (adding the interval and the affected hosts for each query).

  7. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.status.fim.

This destination data structure can be configured to point at any my.app.*.* tag.

Help information

Configuration section (per endpoint type):

Linux


macOS



Windows


Wildcards

To specify which files and directories you want to monitor, you must use fnmatch-style or filesystem globbing patterns to represent the target paths. Use standard wildcards */** or SQL-style wildcards *%* as shown below:

  • %: Match all files and folders for one level.
  • %%: Match all files and folders recursively.
  • %abc: Match all within-level ending in "abc".
  • abc%: Match all within-level starting with "abc".