Agent-less File-Integrity Monitoring
You can use file integrity monitoring to make sure that critical files and directories on servers are not modified. When you enable a file integrity monitor for a specific file or directory, the monitor will:
- Log in to the system using SSH.
- Compute the checksums of the files or a directory, including all files in the directory.
- Periodically verify the computed checksums.
- Create an event when a change to the checksums is detected.
Supported Servers
Example Events
A Directory is Modified by Adding a File
A Specific File is Modified
A Specific File is Deleted
Permissions or Ownership of a Specific File or Any File in a Directory is Changed File Scan Event
Adding the File Integrity Monitoring Performance Object
Performance Object Configuration for File Integrity Monitoring
Performance Object Configuration for Directory Integrity Monitoring
Associating Device Types to Performance Objects
Testing the Performance Monitor
Enabling the Performance Monitor
Writing Queries for the Performance Metrics
Change: Audited File Added/Deleted
Change: Audited File Content Modifications
Change: Audited File Attribute Modifications
Supported Servers
File and directory integrity monitoring is supported for these servers:
Linux variants
Unix variants
Windows (with Unix tools installed that allow SSH)
Example Events
These are examples of events that are generated by FortiSIEM when a file or directory is modified, deleted, or has its permissions changed.
File Monitors and Event Types
Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.
A Directory is Modified by Adding a File
Event Type: PH_DEV_MON_CUST_FILE_CHANGE_CONTENT
A Specific File is Deleted
Permissions or Ownership of a Specific File or Any File in a Directory is Changed
Event Type: PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB.
For permissions changes, look for the preaccess and access attributes.
For ownership changes, look for the preuser, user, pregroup, and group attributes.
File Scan Event
Event Type: PH_DEV_MON_CUST_FILE_SCAN
When FortiSIEM scans a file or a directory, this event is generated and can be reported against.
Adding the File Integrity Monitoring Performance Object
In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.
In this case, you will create one performance object for each file or directory you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field. Performance Object Configuration for File Integrity Monitoring
| Field | Setting |
| Name | LinuxFileMon |
| Type | Application |
| Method | Login |
| Used For | File Monitor |
| File Path | home/admin/FileMon/file.txt |
| Polling Frequency | 30 seconds |
Performance Object Configuration for Directory Integrity Monitoring
| Field | Setting |
| Name | LinuxDirMon |
| Type | Application |
| Method | Login |
| Used For | File Monitor |
| File Path | home/admin/DirectoryMon |
| Polling Frequency | 30 seconds |
Associating Device Types to Performance Objects
You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.
- Go to Admin > Device Support > Performance Monitoring.
- Select the performance monitor you created, and then click Test.
- For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
- Click Test.
You should see succeed under Result, and the parsed event attributes in the test result pane.
- When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
- Discover or re-discover the device you want to monitor.
- Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly.
Change: Audited File Added/Deleted
Create a structured historical search with these settings:
| Filter Criteria | Display
Columns |
Time | For
Organizations |
| Structured
Event Type IN (“PH_DEV_MON_CUST_FILE_CREATE”,”PH_DEV_MON_CUST_FILE_DELETE”) Group by:[None] |
Event Receive
Time |
Last 1
Day |
All |
Change: Audited File Content Modifications
Create a structured historical search with these settings:
| Filter Criteria | Display Columns | Time | For Organizations |
| Structured
Event Type =”PH_DEV_MON_CUST_FILE_DELTA” Group by:[None] |
Event Receive Time, Host | Last 1 Day | All |
Change: Audited File Attribute Modifications Create a structured historical search with these settings:
| Filter Criteria | Display Columns | Time | For Organizations |
| Structured
Event Type =”PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB” Group by:[None] |
Event Receive Time, Host | Last 1 Day | All |