CloudPassage, a Must Have File Integrity Monitor

About File Integrity Monitoring

File integrity monitoring is a feature of CloudPassage Halo that protects the integrity of system and application software on your Linux or Windows cloud servers. It regularly monitors your servers for unauthorized or malicious changes to important system binaries and configuration files. Implementing file integrity monitoring can help you to:

  • Detect unauthorized intrusions into any of your cloud servers.
  • Comply with mandates and standards such as PCI DSS, HIPAA, SOX, CSA, and SANS.
  • Detect and repair tampering with your servers’ system or application code.

Halo accomplishes file integrity monitoring by first saving a baseline record of the “clean” state of your server systems. It then periodically re-scans each server instance and compares the results to that baseline. Any differences detected are logged and reported to the appropriate administrators.
The elements that make up the baseline include cryptographic checksums (signatures) and standard metadata for all files being monitored, and standard metadata for files without content (such as directories and symlinks).
If later scans reveal that a file’s checksum or metadata has changed, a security event is generated. An administrator can inspect the metadata or the file itself on the server involved to understand the nature of the change and, if warranted, escalate the issue to an incident-response team.

Installing CloudPassage

1. Manual setup

2. Chef recipes

Linux

You can use the following recipe to install the Halo Daemon on Linux systems using Chef:

Note that node[‘cloudpassage-key’] should be available in your data bag, and you can easily get it by accessing the installation tutorial from CloudPassage website

Windows

You can use the following recipe to install the Halo Daemon on Windows systems using Chef:

Note that these are attributes and should have the following values:

  • default[:halo_exe] – the version of Halo daemon you need to install
  • default[:daemon_key] – you can get it by accessing the installation tutorial from https://portal.cloudpassage.com/installers/windows
  • default[:tag] – The tag you want to assign

Creating server groups

First, you’ll need to create Halo server groups to apply policies to. All servers in a group use the same configuration, firewall, and other kinds of security policies. Navigate to the Halo Dashboard by clicking the Servers menu or the CloudPassage Logo in the page header.

Create Group 1-2

Click Add New Group at the bottom of the list of server groups.

Create Group 2-2

Name the server group and choose policies and profiles to assign to it (if they have been created, but you can also assign policies later).

Create Group 3-2

The Server tag is server specific and can be specified when you start the Halo daemon on your machine.

  • For Linux sudo /etc/init.d/cphalod start –api-key=youruniqueapikey –tag=WWW
  • For Windows you will be asked for the tag upon installation, or you can add the /TAG=servertag parameter when starting the service

 

Click Save Group Settings. Your new group will appear in the list of server groups on the Dashboard.
After creating the server group, add to it all your servers that should have the same set of security policies applied to them. Remember, any server cloned from a server in this group will automatically be added to the group and inherit the same policies.

On the Dashboard, find the servers you want to add to your group. Most likely they are in Unassigned or All Servers.

Create Group 4

 

Select the servers you want to add to your group by checking the box for each server.

Choose Move Server(s) from the Actions menu, then select the group you want to add the servers to. Then click Move Servers.

Create Group 5

Create Group 6

Now, you can navigate to Policy Templates and import a policy template. This may cover a lot of file that you don’t have, but there’s nothing wrong with that since a policy template is trying to cover a wide range of Linux distributions. If one of the files shows up unexpectedly on your server, you will receive an alert)

Define a Server Group to Scan

If you have not already installed Halo Daemons on your servers and organized them into groups along functional and architectural lines, do so now.
Choose servers that all share the same operating system configuration and basic applications, so that the same file integrity policy or policies can apply to all of them. For example, all the web servers that use Apache could be in the same server group. Likewise, all the database servers that use MySQL could be in another group.

Using Halo Portal UI we can named server group and add the set of severs to the group.

The result should be close to this:

Create_Group_Result

Create a File Integrity Policy

A file integrity policy is a list of targets to be monitored for changes, plus flags that specify how Halo should treat a detected change to each target.
To create a new policy, go to Policies > File Integrity Policies in the Halo Portal, click Add New Linux Policy or Add New Windows Policy, and fill out the Add New File Integrity Policy form:

New_File_Integration_Policy

 

As targets, you can specify the following objects: individual files, directories, symbolic links, devices and special files (such as named pipes), or Windows Registry keys. If you specify a directory, you can make the scan recursive (objects at all levels within the target directory are scanned) or non-recursive (only objects at the uppermost level within the directory are scanned). Also, within a directory target, you can either exclude objects that match a specific pattern, or you can include only objects that match the pattern.

Specify a Baseline Server and Run a Baseline Scan

Every file integrity policy needs to be associated with a specific server that functions as the gold master template for all of the servers that will be scanned using that policy. The gold master needs to contain known good versions of all of the targets specified in the policy. You can pick an existing cloud server or you can set up a special server, either local or in the cloud; it needs to be correctly configured, clean, and up-to-date.

You normally assign the baseline server to the policy immediately after saving the policy. When you click the Add Baseline button on the policy’s page in the Halo Portal, you are asked to select the server.

Select_Baseline_Server

 

As soon as you have done that and clicked Request Baseline, the baseline scan runs. When it finishes, your policy is complete.

Before you run a baseline scan, you can optionally give it an expiration date. After you run the scan, you can inspect the baseline report to verify that no targets were missed.

Assign the Policy to a Server Group

The last step in preparing to run file integrity scans is to assign your policy to the server group that you created. Naturally, all the servers in the group must match the policy’s baseline server (or servers) — at least in the portions of server structure and content that will be scanned.
Go to the Edit Details page for that group to make the assignment. If you need more detailed instructions, see Cloud Passage – Assign Policy To Server Group

Scanning

Execute a Manual Scan

You can schedule scans to run automatically at regular intervals you can manually kick off an immediate scan at any time. For a manual scan, you can choose to scan all of your servers, or one server group, or a subset of the servers in a server group.
Click the Integrity icon on the Halo Dashboard and then select All Servers or some other server group. Use the checkboxes to select all servers in the group or one or more individual servers. Then choose Launch Scan from the Actions menu to run the scan.

Launch_Integrity_Scan

Manage Scan Results

Once you have run the baseline scan for a policy, assigned the policy to a server group, and then manually scanned your servers, you can view the results to address security events and alerts, and to manage updates to file integrity settings and policies.

Going forward, be sure to set up automatic scanning to make sure that your servers are regularly examined for file integrity issues. You can do that at Site Administrator menu > Site Administration in the Halo Portal and click on the Scanner Settings tab.

Monitoring_Settings_1

Monitoring_Settings_2

 

Execute an Automatic Scan

Under Scanner Scheduling, in the line for “File Integrity Monitoring”, select Enable Automatic Scanning, then choose a scan frequency from once per hour to once per week. Leave Execute scan on daemon start selected if you want to run an initial scan on each server as soon as it starts up. The next scheduled scan will occur in as little as one hour or as much as 24 hours later, depending on the frequency you have specified. Note that only servers in groups that have an assigned file integrity policy are scanned at each automatic scan.

Depending on the number and size of the targets in your policy, running a monitoring scan on all the servers in a server group may take some time. Specifying a high scanning frequency for a large group might impact the performance of your servers.

Halo records all changes to policy-defined target files that it finds during monitoring scans. If you are an administrator assigned to addressing file integrity issues, you can view them on the Halo Dashboard, clicking the File Integrity icon, selecting the server group that was scanned and then clicking the name of the server whose results you want to see.

Security_Events_1

 

The results displayed for each violation or event include a flag if the event is critical, the date/time of its occurrence, and various event details. Click More details to see both the original baseline metadata and the current metadata for the changed file or directory.

Configuring Alerts

A file integrity policy may specify that changes to certain targets constitute events that are severe enough that an alert should be sent to the appropriate administrators. The person creating or editing the policy specifies which events should be associated with alerts.
Alerts go to the users listed in an alert profile assigned to the server group to which the file integrity policy is assigned. By default, all server groups have an alert profile consisting of the registered Halo user for the company. A Halo site administrator can create additional alert profiles that list one or more other Halo users that should receive alerts involving that server group.

There are two types of alerts Critical and Non-critical, which are triggered based on the severity of the issue.

In order to create an alert, click on Policies – Alert Profiles

Configuring_Alert_Profiles_1

This should list all the configured alerts. In order to add a new one, click Add New Alert Profile

Configuring_Alert_Profiles_2

Fill out the desired fields and specify the receivers of the alerts. You can add Halo Users or External Recipients, based on your needs and you can configure sending the e-mails for CriticalNon-Criticals or both.

After you’ve finished, click Save, navigate to Servers, select the desired Server Group and Edit Details

Assign_Policy_1

Scroll down to the alerts section and apply the newly created alert.

 

Will these catch all attacks?

Sadly, no. Using File Integrity Monitoring policies, you’ll be able to catch attacks that actually modify critical files on disk. If the attack only exploits a running copy of one of these programs but never changes anything on disk, File Integrity Monitoring won’t catch the attack.

The good news is that there’s a reasonably good chance that the attacker will have to modify files as part of the initial break in, in the process of getting root privileges, or when putting in a backdoor to guarantee future access. The FIM policies are designed to provide ready-to-run checks for especially sensitive files, and using the FIM templates provides an out of the box solution for protecting against most of the attacks, but if you need more than that you can customise it in order to fit your needs.