Difference between revisions of "File Integrity Monitoring"

From khika
Jump to navigation Jump to search
(Created page with "== Overview == There are multiple types of attacks and many attack vectors, and most of them make some changes in the critical files of the system, thus altering the integrit...")
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
 
 
 
There are multiple types of attacks and many attack vectors, and most of them make some changes in the critical files of the system, thus altering the integrity of the system. The security posture of a computer is changed when a critical file on a computer is changed. Imagine someone with malicious intent changing resolv.conf file on your computer! You will be redirected to unwanted sites when you type your favorite site in the browser. This was just an example to demonstrate why it is so important to monitor changes to critical files on your computers and critical servers.
 
There are multiple types of attacks and many attack vectors, and most of them make some changes in the critical files of the system, thus altering the integrity of the system. The security posture of a computer is changed when a critical file on a computer is changed. Imagine someone with malicious intent changing resolv.conf file on your computer! You will be redirected to unwanted sites when you type your favorite site in the browser. This was just an example to demonstrate why it is so important to monitor changes to critical files on your computers and critical servers.
  
Line 13: Line 11:
  
  
fim1 (discover screen fim search)
+
[[File:Fim1.jpg|700px]]
 +
 
 +
 
 +
 
 +
Below is a sample file Integrity monitoring dashboard
  
  
fim2 (fim dashboard)
+
[[File:Fim2.jpg|700px]]
  
  
 
In the column – target data, old md5 and sha1sum values and the current values are shown. When the content of the registry or file change, these values change. Under tl_src_event column, we can see if it is a change in the registry or file. In above example the registry value has changed.
 
In the column – target data, old md5 and sha1sum values and the current values are shown. When the content of the registry or file change, these values change. Under tl_src_event column, we can see if it is a change in the registry or file. In above example the registry value has changed.
 +
 +
 +
[[Data Archival in KHIKA|Previous]]
 +
 +
 +
The next section explains how to [[Start and Stop KHIKA|start and stop KHIKA services]]

Latest revision as of 10:23, 12 June 2019

There are multiple types of attacks and many attack vectors, and most of them make some changes in the critical files of the system, thus altering the integrity of the system. The security posture of a computer is changed when a critical file on a computer is changed. Imagine someone with malicious intent changing resolv.conf file on your computer! You will be redirected to unwanted sites when you type your favorite site in the browser. This was just an example to demonstrate why it is so important to monitor changes to critical files on your computers and critical servers.

File Integrity Monitoring or FIM is the process which validates the integrity of the files on the operating system, any change in the crucial files against a standard baseline. It is a service that monitors any changes made to crucial files.

KHIKA uses OSSEC agent on the server to gather logs, critical information about the system and monitor file integrity. Syscheck is the name of the integrity checking process inside OSSEC. It runs periodically to check if any configured file (or registry entry on Windows) has changed. This process runs every 6 hours by default but the frequency or time/day are configurable. Moreover, it can be configured for real-time file integrity monitoring on certain systems (specific versions of Linux and Windows)

KHIKA receives the raw FIM data from ossec and stores it in its repository.

The FIM events can be searched using KHIKA’s search interface - Discover. Below is a sample output of search results of FIM Events in KHIKA


Fim1.jpg


Below is a sample file Integrity monitoring dashboard


Fim2.jpg


In the column – target data, old md5 and sha1sum values and the current values are shown. When the content of the registry or file change, these values change. Under tl_src_event column, we can see if it is a change in the registry or file. In above example the registry value has changed.


Previous


The next section explains how to start and stop KHIKA services