FortiSIEM Agent-less File-Integrity Monitoring

Agent-less File-Integrity Monitoring

You can use file integrity monitoring to make sure that critical files and directories on servers are not modified. When you enable a file integrity monitor for a specific file or directory, the monitor will:

  1. Log in to the system using SSH.
  2. Compute the checksums of the files or a directory, including all files in the directory.
  3. Periodically verify the computed checksums.
  4. Create an event when a change to the checksums is detected.

Supported Servers

Example Events

A Directory is Modified by Adding a File

A Specific File is Modified

A Specific File is Deleted

Permissions or Ownership of a Specific File or Any File in a Directory is Changed File Scan Event

Adding the File Integrity Monitoring Performance Object

Performance Object Configuration for File Integrity Monitoring

Performance Object Configuration for Directory Integrity Monitoring

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Change: Audited File Added/Deleted

Change: Audited File Content Modifications

Change: Audited File Attribute Modifications

Supported Servers

File and directory integrity monitoring is supported for these servers:

Linux variants

Unix variants

Windows (with Unix tools installed that allow SSH)

Example Events

These are examples of events that are generated by FortiSIEM when a file or directory is modified, deleted, or has its permissions changed.

File Monitors and Event Types

Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.

A Directory is Modified by Adding a File

Event Type: PH_DEV_MON_CUST_FILE_CHANGE_CONTENT

A Specific File is Deleted

Permissions or Ownership of a Specific File or Any File in a Directory is Changed

Event Type: PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB.

For permissions changes, look for the preaccess and access attributes.

For ownership changes, look for the preuser, user, pregroup, and group attributes.

File Scan Event

Event Type: PH_DEV_MON_CUST_FILE_SCAN

When FortiSIEM scans a file or a directory, this event is generated and can be reported against.

Adding the File Integrity Monitoring Performance Object

In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.

In this case, you will create one performance object for each file or directory you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field. Performance Object Configuration for File Integrity Monitoring

Field Setting
Name LinuxFileMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/FileMon/file.txt
Polling Frequency 30 seconds

Performance Object Configuration for Directory Integrity Monitoring

Field Setting
Name LinuxDirMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/DirectoryMon
Polling Frequency 30 seconds

Associating Device Types to Performance Objects

You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly.

Change: Audited File Added/Deleted

Create a structured historical search with these settings:

Filter Criteria Display

Columns

Time For

Organizations

Structured

Event Type IN (“PH_DEV_MON_CUST_FILE_CREATE”,”PH_DEV_MON_CUST_FILE_DELETE”)

Group by:[None]

Event Receive

Time

Last 1

Day

All

Change: Audited File Content Modifications

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type =”PH_DEV_MON_CUST_FILE_DELTA” Group by:[None]

Event Receive Time, Host Last 1 Day All

Change: Audited File Attribute Modifications Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type =”PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB” Group by:[None]

Event Receive Time, Host Last 1 Day All

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.