Document toolboxDocument toolbox

Enable file integrity monitoring in the Endpoint Agent

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 10, 2023
7 min read
[ 1 Configuration ] [ 2 Data access ] [ 3 Help information ]

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known file state.

Endpoint Agent supports File integrity monitoring (FIM) for Linux and macOS using inotify and FSEvents and also for Windows but in a different fashion, using journals and therefore is only included in NTFS based systems. The daemon reads a list of files/directories from the EA configuration. The actions (and hashes when appropriate) to those selected files populate the file_events and ntfs_journal_events tables.

File integrity monitoring (FIM) will let the system administrator know what events are happening in the file system. Currently, it monitors modifications and file accesses, generating 5 types of events for Linux/macOS terminals and 32 for Windows terminals.

Configuration

To set up our Devo EA Manager for FIM we need to activate some flags to enable Endpoint Agent to retrieve FIM events and set the path/s that we are going to monitor with this utility.

This can be accomplished in two different ways:

  • Using the admin page in the EA Manager.

  • Modifying the inventory file and redeploying the deam-packs playbook.

Consider that on macOS, the osqueryd agent (or Terminal.app, if using osqueryi) may need Full Disk Access permissions, in Security and Privacy settings.

Use admin page in EA Manager Web UI

Please be aware that modifying the osquery configuration via the WebUI, just applies to the actual config instance of EA Manager and does not replicate the change to the inventory file in the ansible playbook. This means that the changes in configuration done in the Web UI, need to be consolidated to the inventory file in the ansible playbooks before performing any new deployment in the ansible or applied changes will be overwritten.

Common steps

  1. Log in to your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)

  2. Once logged in, access the osquery configuration in https://<DEAM_IP:8080>/ -> settings -> Global agent options

  3. Here, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot

  4. We need to search for the following flags and set it as indicated within the corresponding configuration for each endpoint (or add it if does not exist):

    1. enable_file_events: true (for Linux and macOS endpoints)

    2. enable_ntfs_event_publisher: true (for Windows endpoints)

  5. Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running SELECT name, value FROM osquery_flags in your fleet.

    1. disable_events: false (for Windows, Linux and macOS endpoints)

    2. disable_audit: false (for Linux and macOS endpoints)

  6. Once the configuration is updated, save the changes and wait to the agents to update the configuration.
    **You can check if the configuration has been updated just by checking the “osquery_flags” table.

  7. Add the file_paths to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in options:

    The following screenshots shows the configuration for Linux and Windows.

Linux

 

 

Windows

 

 

MacOS

 

Finally, save the changes and wait to the agents to update the configuration.

Endpoints will refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, you may need to restart the endpoints so the configuration takes place.

Using devo-ea-deployer

For a non-deployed environment, we just need to modify the inventory file before deploy the Devo EA Manager for adding the flags and the paths to monitor.

  1. Locate the inventory file we used in our Devo EA Manager deployment.

  2. Open it with your preferred text editor and add the following tags under the corresponding OS flag (in vars section) in your inventory file

    1. enable_file_events: true (only for Linux and macOS endpoints. Under deam_fleet_config_agent_opts_nix or deam_fleet_config_agent_opts_darwin flags for Linux or macOS respectively)
      Linux:

      all: vars: deam_fleet_config_agent_opts_nix: enable_file_events: true

      MacOS:

      all: vars: deam_fleet_config_agent_opts_darwin: enable_file_events: true

    2. enable_ntfs_event_publisher: true (only for Windows endpoints. Under deam_fleet_config_agent_opts_win flag)

      all: vars: deam_fleet_config_agent_opts_win: enable_ntfs_event_publisher: true

  3. Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running SELECT name, value FROM osquery_flags in your fleet.

    1. disable_audit: false (only for Linux and macOS endpoints. Under deam_fleet_config_agent_opts_nix or deam_fleet_config_agent_opts_darwin flags for Linux or macOS respectively)

    2. disable_events: false (for Windows, Linux and macOS endpoints. Can be placed under each specific OS flag or under the common one → deam_fleet_config_agent_opts)

  4. Add the file_paths to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in your inventory file:

    Linux:


    Windows:


    MacOS:

If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent playbook is run.

If you have an existing deployment:

  • Enable the virtual environment by running:

  • Run the deam-packs playbook from your deployer folder to apply the configuration:

Sending to Devo

We need to configure a new pack with two new queries for sending the data to Devo.

  1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button

     

  2. We need to create 2 new queries with the following SQL code:
    For Windows:


    For Linux/macOS

     

  3. Create and save the new queries with the name you wish.

     

  4. Now, click on “Packs“ in the left menu and search for the “New Pack“ button.

     

  5. Name it as you wish, select the hosts targets that are affected and save it.

     

     

  6. Once saved, add the previously-created queries (adding the interval and the affected hosts for each query).

     

  7. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.status.fim

**This destination data structure can be configured to point at any my.app.*.* tag.

Help information

Configuration section (per endpoint type)

Linux

 

macOS

 

 

Windows

 

Wildcards

To specify which files and directories you wish to monitor, you must use fnmatch-style, or filesystem globbing, patterns to represent the target paths. You may use standard wildcards */** or SQL-style wildcards *%*, as shown below.

  • %: Match all files and folders for one level.

  • %%: Match all files and folders recursively.

  • %abc: Match all within-level ending in "abc".

  • abc%: Match all within-level starting with "abc".

Troubleshooting

You might experience some issues while working under Windows OS. To prevent this, make sure the files or folders under surveillance are created before Osquery is started.

Also under Windows OS, if a folder is watched, events will not only be generated for that folder and the files it contains, but also for its sub-folders and the files they contain.