https://github.com/optum/fileintegritymonitor

Compliance-based File Integrity Monitoring Solution.
https://github.com/optum/fileintegritymonitor

Last synced: about 1 month ago
JSON representation

Compliance-based File Integrity Monitoring Solution.

• Host: GitHub
• URL: https://github.com/optum/fileintegritymonitor
• Owner: Optum
• License: apache-2.0
• Created: 2023-09-27T19:13:11.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-11-16T13:53:11.000Z (over 2 years ago)
• Last Synced: 2025-03-11T15:51:13.182Z (about 1 year ago)
• Language: PowerShell
• Size: 30.3 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

          
# File Integrity Monitoring 

Compliance based File Integrity Monitoring solution for Windows and Unix Servers.

## Table of Contents 

- [Summary](#summary)

- [Solution Details](#solution-details)

    - [Results Package](#results-package)

    - [Audit Outcome Values](#audit-outcome-values)

- [Sample `fimon_config.json` file](#sample-fimon_configjson-file)

    - [JSON attribute reference guide](#json-attribute-reference-guide)

- [Steps to create a File Integrity Monitor](#steps-to-create-a-file-integrity-monitor)

    - [Testing the Monitor](#testing-the-monitor)

    - [Running the Monitor](#running-the-monitor)

## Summary

This repo contains an overview along with steps to setup File Integrity Monitoring on Windows and Unix servers. The script performs compliance auditing for application files and detects if files have been added, removed, or changed. Integrity Monitoring is done from a remote server that application developers/ops engineers do not have access to. This is so that the monitor cannot be disabled by those who also might be able to alter application files. This script is setup to use services such as Interlink, ServiceNow, Grafana, Windows Task Scheduler, and Cron but can be replaced by any other tools or scheduling systems preferred by the customer.

Users are only required to update the JSON config file with the attributes mentioned below.

## Solution Details

The File Integrity Monitoring package consists of following files:

- **`fimon.ps1 / fimon.sh`** - Script with state based embedded webhooks to Interlink along with ServiceNow Notify and Auto-Ticketing. It also generates an alert (normal or warning) and specifies the folder containing the results in the message text. *(The results cannot be attached to the alert or included in the message text due to limitations)*. This script has the ability to run in Active/Active mode from various servers and still only produce 1 alert notification.

- **`fimon_config.json`** - JSON file based on an opt-in model to monitor only the key File Shares in scope for integrity monitoring. Users also have the option to exclude certain filetypes from the audit as needed.

- **`fimon_main.bat / fimon_main.sh`** - The main script that calls the `fimon.ps1 / fimon.sh` script with command line arguments. The scheduler runs this file daily at a set time. *(The script can't be run directly from Task Scheduler or Cron as there are limitations with passing command line arguments.)*

- **`fimon_scheduler.xml`** - Windows Task Scheduler schema file that makes the script run daily at a set time.

### Results Package

- `fimon_.zip` - The folder containing supporting files for each integrity check that are generated by the main script. The folder contains a copy of the config file as well as the following additional files:

    - `fimon.out` - File documenting the results of the audit. Errors or failures are logged to this file.

    - `fimon_baseline.json` - Baseline file with checksum values which the audit is performed against. This file is what determines if the integrity check fails or succeeds.

    - `fimon_config.json` - copy of the JSON file from the integrity check for refernce in case of failiures.

    - `fimon_exclusions.csv` - File containing a list of all the File Shares that were excluded from the audit, if any.

    - `fimon_violations.csv` - File containing a list of File Shares that did not meet the Integrity Monitoring standards, if any.

### Audit Outcome Values

- `UNABLE TO ACCESS TARGET`: In case of this result, please verify that the credentials to access the File Share are correct and/or check that the directory is still valid.

- `CHANGED`: This result occurs when the files have been changed since the last audit.

- `MISSING`: This result indicates that flies are missing when compared against the Baseline File created during the previous audit.

- `NEW`: This indicates that there were new files added to the File Share locations in scope for auditing.

## Sample `fimon_config.json` file

```json

{

    "application": "FORMAL_APP_NAME",

    "severity": "warning",

    "autoincident": "false",

    "workgroup": "CHANGE_MGMT_SUPPORT_WORKGROUP",

    "core_api_token_key": "CORE_API_TOKEN_KEY",

    "core_api_token_value": "CORE_API_TOKEN_VALUE",

    "core_endpoint": "CORE_API_ENDPOINT",

    "is_dmz": "false",

    "dmz_endpoint": "EXT_API_ENDPOINT",

    "is_external": "false",

    "ext_endpoint": "EXT_API_ENDPOINT",

    "ext_api_token_key": "EXT_API_TOKEN_KEY",

    "ext_api_token_value": "EXT_API_TOKEN_VALUE",

    "ext_oauth_token": "EXT_OAUTH_TOKEN",

    "event_query": "GET_QUERY_TO_CHECK_IF_API_CALL_SUCCEEDED",

    "event_oauth_token": "EVENT_MGMT_TOOL_OAUTH_TOKEN",

    "telemetry_token": "TELEMETRY_INGRESSION_TOKEN",

    "telemetry_endpoint": "TELEMETRY_INGRESSION_API_ENDPOINT",

    "continuous_change": "false",

    "results": "RESULTS_FOLDER_PATH",

    "targets": [

        "FILE_SHARE1",

        "FILE_SHARE2",

        "FILE_SHARE3"

    ],

    "exclude": [

        "*.FILE_TYPE",

        "*.FILE_TYPE",

        "*.FILE_TYPE*"

    ]

}

```

### JSON attribute reference guide

- **application**: Identifies formal Application Name or Supporting Infrastructure service which is used for consuming ServiceNow notifications. *(Mandatory)*

- **severity**: Severity of the event. Example values: Normal, Warning, Minor, Major, Critical. *(Mandatory)*

- **autoincident**: Set flag to `true` to generate a ServiceNow ticket, `false` will generate a ServiceNow notification email, page, etc.

    - **workgroup**: ServiceNow workgroup to assign the Incident to. *(Mandatory only if **autoincident** is `true`)*

- **is_dmz**: Set flag to `true` means the server is in the DMZ and will use our DMZ API, `false` will use our internal Interlink API.

- **is_external**: Set flag to `true` means the server is external and will use our external API, `false` will use our internal Interlink API.

- **continuous_change**: Set flag to `true` if you are looking to be alerted if files are ***not*** continuously changing, `false` will alert only when file ***are*** changing.

- **results**: Shared folder location where results will be stored. Shared folder directories have larger space and therefore will be able to store results for longer periods of time.

- **targets**: List of File Shares in scope for auditing. Add each unique directory in a new line like shown in the example above. *(Mandatory)*

- **exclude**: List of filetypes that are to be excluded from the audit. Add each unique filetype in a new line like shown in the example above.

## Steps to create a File Integrity Monitor

- Obtain a dedicated auditing Windows or Unix server to run the File Integrity solution on. Validate that your credentials have access to all the File Shares defined in `fimon_config.json`.

- Having sudo access will simplify the on-boarding process and help manage cron schedules for Unix.

- Clone this repo via Git commands or by downloading the zip folder and save it to your working directory.

- Navigate to the `fimon` folder and update the `fimon_config.json` file with the configurations for monitoring using the [JSON attribute reference guide](#json-attribute-reference-guide).

### Testing the Monitor

- Manipulate the values in the `fimon_config.json` file as desired for testing.

- Open a Powershell IDE as the user with the credentials validated above for Windows.

- Open a terminal window in the `fimon` directory and run the `fimon_main` file.

### Running the Monitor

- **Windows:**

    - Create a monitoring task using Windows Task Scheduler with the credentials validated above. *Note: Make sure to manually update Task Scheduler if the credentials change.*

    - Import the [fimon_scheduler.xml](./windows/fimon_scheduler.xml) file to Windows Task Scheduler and update the values according to your monitoring needs.

- **Unix:**

    - Schedule a cron job according to your monitoring needs: `sudo crontab -e`

    - To run the script every 5 minutes, use following format: `*/5 * * * * ./fimon_main.sh > ./cron.out 2> ./cron.err`

The syntax is the default dir/location where the package should be downloaded. Update dir/location if you have downloaded the package elsewhere.