CorreLog. File Integrity Monitor (FIM) User Reference Manual

Transcription

1 CorreLog File Integrity Monitor (FIM) User Reference Manual

2 CorreLog FIM, User Reference Manual Copyright , CorreLog, Inc. All rights reserved. No part of this manual shall be reproduced without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein. CorreLog FIM, Page - 2

3 Table of Contents Section 1: Introduction.. 5 Section 2: CorreLog FIM Installation.. 11 Section 3: CorreLog FIM Usage.. 17 Section 4: CO-Fmon Config File.. 23 Section 5: Remote Configuration.. 31 Appendix A: The CO-Fmon.cnf File.. 41 Appendix B: The Report_FIM.bat File CorreLog FIM, Page - 3

4 CorreLog FIM, Page - 4

5 Section 1: Introduction This document contains installation and application notes regarding the CorreLog File Integrity Monitor (CorreLog FIM) which is a compact set of software tools that instrument a Windows Vista, XP, or 20XX operating system to continuously check the integrity of selected files. This permits the CorreLog Security Correlation Server to effectively check whether files have changed anywhere on a managed Windows platform. The File Integrity Monitor executes as a separate process on each Windows 32- bit and / or 64-bit platform. Periodically (by default each hour) this process scans all the files on the system as specified by its configuration file. If any file has been added, deleted, or modified, the file name is recorded and a Syslog message is sent to the main CorreLog Server. At the CorreLog Server, the operator can create (or recreate) a file image, can inspect the list of changed files, and can set FIM parameters. The CorreLog FIM is very lightweight and easy to install. The program should be installed on each Windows platform of interest in an organization or enterprise. If you are unfamiliar with Syslog protocol as a management technique, refer to the CorreLog User Reference manual, which contains a comprehensive description of Syslog functionality. If you wish to get started immediately with the installation of the CorreLog FIM, see notes at the bottom of this current section. CorreLog FIM, Page - 5

6 CorreLog Windows Tool Set (FIM) Overview The CorreLog File Integrity Monitor (FIM) is a collection of executables and files that provide extra security at a managed Windows server. The File Integrity Monitor is installed in a fashion similar to the CorreLog Windows Agent and WTS, and operates as a standard Windows service. Periodically, the system scans all the files specified by a configuration file, and sends Syslog messages to the CorreLog Server when files are added, deleted, or modified on the system. At the CorreLog Server, the user can configure the schedule of execution for the process, can generate an Image File (containing a baseline listing of files), and can run on-demand checks of the file system. Additionally, the operator can inspect the list of managed files, and any changes detected during the last scan of files. The CorreLog FIM consists of the following parts. CorreLog File Monitor Agent. (FIM Agent.) This is a compact but powerful Windows service that is installed on each managed platform. The service periodically scans the file system to detect new, modified, or deleted files, and sends Syslog messages to the CorreLog Server when file changes are detected. The service executes on XP, Vista, and 200X servers. Both 32-bit and 64-bit versions of the program are available. CorreLog Server Web Interface. This screen is added to the CorreLog Server, and is accessed via the "Device Information" screen (by clicking on the hyperlink of an IP address anywhere within CorreLog.) The screen permits the user to view the list of managed files, and the status of the File Integrity Monitor's execution. CorreLog Remote Configuration Utility. This is a stand-alone program that permits the user to download and upload the configuration file of the CorreLog FIM service, so that batch configuration of these programs can be remotely performed. The above programs are documented in this manual, including installation and configuration, along with extra application notes that describe how to perform advanced configuration of the system. Program Features The CorreLog FIM is designed to support the enterprise requirements for security, with special regard to PCI/DSS (as well as other) security guidelines. The program is easy to install and use, and contains the following specific features and functions. CorreLog FIM, Page - 6

7 Fast File Scans. The File Integrity Monitor is designed to monitor large numbers of files quickly and non-intrusively. The program will typically scan 10,000 files within one or two minutes, permitting hourly checks of file integrity. AbilityTo Monitor Files By Directory. The File Integrity Monitor is easy to configure, and allows the user to specify files by directory, including the ability to match and exclude files by directory name, file suffix, file prefix, or other keywords. This allows an operator to precisely target special files on the managed system. Ability To Perform File Checksums. The File Integrity Monitor checks the file creation time, modify time, and file size to determine whether a file has been modified on the system. As an additional feature, the user can enable the calculation of checksums on each file to check whether any single bit in the file has been changed. Ability To Tune CPU Usage. The File Integrity Monitor allows the user to throttle the amount of CPU used by the process, as well as schedule the execution hourly, or daily. This permits the system to operate nonintrusively. Remote Configuration Capabilities. The File Integrity Monitor allows the user to remotely access and adjust (with authentication) the program configuration data, permitting the user to make changes to the file integrity monitor while it is running. Additionally, the user can obtain real-time status from the File Integrity Monitor, to view the remote status and state of the program. Support for 64 Bit Platforms. The File Integrity Monitor supports both 32-bit and 64-bit platform architectures. On 64-bit systems, the File Integrity Monitor can access system pathnames that are not accessible to 32-bit programs. The CorreLog FIM, Fast Start The remainder of this manual will deal with the various detailed aspects of the CorreLog File Integrity Monitor software in detail. For those users wishing a quick start, the following information will get the CorreLog FIM software up and running as quickly as possible on a Windows platform, permitting you to immediately begin using the program. The CorreLog FIM Software is obtained is included in the CorreLog Server distribution in the "CorreLog\s-doc" directory. Two different versions are available, to support both 32-bit and 64-bit platforms. CorreLog FIM, Page - 7

8 At the managed platform, after downloading the appropriate FIM package, the operator executes the self-extracting WinZip file, and extracts files to the desired location, by default the C:\CorreLog directory of the platform. Note: The software package that is installed on the target platform is given a name such as "fi-agent-x32.exe" but can operate in a 64 bit environment of any platform that is Windows 2008 or higher. When the files are extracted, the FMON Agent installation dialog automatically starts. The user needs to provide only one argument to the installation dialog, which is the destination hostname or IP address of the Syslog server running on the network. (This will generally be the hostname or IP address of the platform running the CorreLog Server software.) When the dialog finishes, the CorreLog FMON Agent is installed and started. The user can check the Syslog file of the destination host to verify that a Syslog message was correctly sent and received. The platform does not need to be rebooted. The user can optionally configure each FMON Agent at the CorreLog Server by clicking on the IP address hyperlink of the device anywhere within CorreLog, and then clicking "File Integrity Monitor". (See Section 4.) The entire installation steps, outlined above, will usually take about one minute or so to complete for each managed platform. An Administrator type login is required. If the installation fails (for example if the installer mistypes the destination hostname or IP address) the installation procedure can be run again without running the uninstall program. Fast Start, Workflow Overview Once the CorreLog FMON Agent is installed, a simple workflow is used to maintain the integrity of files. At periodic intervals, messages are generated on the system indicating the status of files on a managed system. The operator sees these indications by looking for the summary status of file scans and / or individual messages indicating that files have been added, deleted, or changed. This may include generation of tickets and notifications when files are changed. When a file change indication is received, the user clicks down on the IP address of the remote device (appearing anywhere in CorreLog) and then clicks on the "File Integrity Monitor" hyperlink on the "Device Information" CorreLog FIM, Page - 8

9 screen. This displays the "File Integrity Monitor" screen (discussed in Section 5 of this manual.) On the "File Integrity Monitor" screen, the user inspects the list of change by clicking on the "View File Change List" hyperlink at the upper left of the screen. The operator resolves any differences in the file system by removing or installing files on the manage system. The operator creates a new Image File by clicking on the "Config" button of the File Integrity Monitor screen, and then clicking "Create New Image File". This causes a new image file to be generated that includes any changes accepted by the operator. The above process is the typical workflow of the operator, used to resolve changes to files on the managed platform. Other workflows (such as automatically generating new Image Files for the target platform) are also available, and will depend upon the requirements of the organization. Future sections will describe in detail the various other features, adaptations, customizations, and applications associated with the CorreLog FIM system. The reader is encouraged to experiment with the system. In particular, almost all of the information required to understand the essentials of the CorreLog FIM system has now been explained. You can begin monitoring your system file integrity information right now! CorreLog FIM, Page - 9

10 CorreLog FIM, Page - 10

11 Section 2: CorreLog FIM Installation The CorreLog FIM is usually delivered as a self-extracting WinZip file, and contains install and uninstall programs, residing in the wintools directory of the CorreLog root directory. The install program normally starts after files are extracted. To uninstall the system, the operator accesses the Windows Add / Remove programs application, and clicks on the CorreLog Syslog Agent entry. Both a 32-bit and 64-bit version is provided. The 32-bit version can be executed on a 64-bit platform, but the 64-bit version MUST execute ONLY on a 64-bit platform. CorreLog FIM is specifically designed not to scatter DLL or other files into system directories. All files within the CorreLog directory reside in the CorreLog root directory, by default the directory C:\CorreLog (although this directory may be specified differently when extracting files.) CorreLog is uninstalled via the standard Windows Add / Remove programs screen (or "Program Features" screen on Vista platforms.). Additionally, if the user stops a CorreLog Syslog Message service, the entire CorreLog directory can be simply dragged and dropped into the Windows Recycle Bin and this will effectively discard the entire installation. (However, note that this will still leave the service entry for CorreLog, within the Windows Service Manager, which is normally cleaned up by the Uninstall procedure.) CorreLog FIM, Page - 11

12 CorreLog FIM System Installation Requirements The CorreLog FMON Agent programs are non-invasive, and can be installed on a variety of Windows platforms and operating systems. An Administrator login is required to install the software. Specific system requirements of the CorreLog Server are described below. Disk Space. The CorreLog FIM has a small disk footprint of less than 0.5 Mbytes. The program should generally NOT be installed on a network drive. If possible, the program should be consistently installed in its default location of C:\CorreLog, which may assist technical support personnel. CPU Requirements. The CorreLog FIM makes minimal use of CPU, and can co-exist with other server components and applications. The actual CPU requirements will typically be much less than 1%, even under heavy load. TCP Connectivity. The CorreLog FIM cannot be installed on a platform that does not have TCP connectivity. (This will typically not be a problem, but may occur in certain evaluation and test scenarios.) The program works with any normal network interface card. Service Ports. The CorreLog FMON Agent programs require access to the UDP 514 port of the configured destination host, which may require modifications to firewalls and port blockers. Additionally, FMON Agent programs will listen at TCP for optional remote configuration requests. Other Dependencies. The CorreLog FIM agent requires that the Windows Agent. The installer should first install the Windows agent before installing the CorreLog FIM agent. Failure to do this will result in an error message, prompting the user to first install the Windows agent, when the FIM software is installed. Note: Configuration of the FMON Agent program is greatly simplified by permitting access to port on the managed platform from the CorreLog Server. This permits the "Remote Configuration" dialog of the CorreLog Server to access and configure the FMON Agent service, as explained in later sections. If possible, this port should be open between each FMON Agent and the CorreLog Server To insure proper installation of the program, the user should close all windows, and temporarily disable any port blocking or Virus Scan software on the system. Reboot, after installation, is not required. CorreLog FIM, Page - 12

13 Basic Installation Steps There are various ways to install the FMON Agent and CorreLog Server. The steps below provide one basic method of installing the software on various managed platforms. As part of the installation planning, users are encouraged to contact CorreLog support engineers for discussion and recommendations of alternative installation techniques: First, the user must install the software at the CorreLog Server, as described below. Once this software is installed, the operator then installs each FMON Agent package on the various managed platforms, using a technique similar to the Windows WTS installation, as described below: 1. Obtain the main File Integrity Monitor installation package. This package is provided in the "s-doc" directory of the CorreLog Server as a selfextracting WinZip archive. The "s-doc\fi-agent-x32.exe" program is a 32-bit version of the program, appropriate for both X32 and X64 architectures. If executing on an X64 platform, the operating system MUST be Windows 2008 or higher. 2. Login to the CorreLog Server platform with Administrative permissions and transfer the correct executable to a target platform, such as via a shared disk, or using the following URL at the target platform: The "s-doc" directory of the CorreLog Server can be accessed via the CorreLog HTTP server, and corresponds to the "/s-doc" URL. This allows you to download any file in the "s-doc" directory to a machine using a standard web browser. 3. After copying or downloading the appropriate CorreLog FMON Agent package, execute the self-extracting WinZip file, and extract files to the target directory, by default the C:\CorreLog directory. 4. When the self-extracting WinZip file completes, the automatic installation procedure starts. The installation dialog for the program is depicted below. The user must view the license agreement and click the check box in order to proceed to the next screen. CorreLog FIM, Page - 13

14 5. Follow the prompts of the automatic installation procedure. A single value is required from the user, on the second screen of the dialog, which is the hostname or IP address of the machine running the Syslog server (normally the CorreLog Server.) 6. When the installation is complete, the CO-Fmon.exe program is installed and running. On startup, this process sends a single Syslog message to the configured destination host. Check that host to verify a message was correctly sent and received. The entire installation process will normally take only one minute or so. No other steps are needed to install and start the program. Important Differences between X32 and X64 Packages The FIM supports both s 32-bit and 64-bit Windows architecture. The following notes apply: 1. The X32 version can run on either a 32-bit or 64-bit architecture. However, due to constraints of the Microsoft Windows operating system, the 32-bit version will actually monitor the "SysWow64" directory rather than the "System32" directory, which may be confusing to users. CorreLog FIM, Page - 14

15 2. The "System32" directive is accessed via the "SysNative" path (which corresponds to the regular "system32" path for 64-bit applications.) This occurs transparently to the user, but may be important when testing or demonstrating FIM operation. So, if the user specifies "system32" in the configuration file, as a target directory for monitoring, this folder will be accessed via the "sysnative" folder. The above factors may be confusing to users. Normally, a 32-bit application cannot access 64-bit executables or DLLs. As a further limitation, all 32-bit executables will automatically AND silently redirect programs to the "SysWow64" directory whenever an attempt is made to access the "System32" directory. Therefore, although the X32 version of the program will appear to be operating in the System32 directory, the program will actually be operating on the SysWow64 directory. NOTE: Although the X32 version will execute on X64 platforms, the X32 version will automatically and silently redirect file scans to the SysNative directory if the System32 directory is specified to the agent. This is a very common source of confusion during test and demonstration of the software. Re-installing the Software The user can re-install the server by running the CorreLog\wintools\COinstall.exe program again. (The user does not have to uninstall and re-install the program software from the WinZip file.) By executing the CO-install.exe program, the service is stopped, removed, re-installed, and reconfigured with the user specified destination host. The platform will generally not have to be rebooted during any installation. However, under certain rare circumstances, such as if the CO-Fmon.exe program has some conflict with third-party software, it may be necessary to reinitialize the entire platform by rebooting before performing a re-install. Uninstalling the CorreLog FIM Agent The CorreLog FIM Agent is uninstalled via the Add / Remove Programs windows facility. The user navigates to this screen (via the Control Panel) and clicks on the CorreLog Syslog Message Server entry to execute the Uninstall program. The user follows the instructions of the dialog to uninstall the CorreLog Framework system. Note that, unlike many uninstall programs, the CorreLog Framework files are left intact on the disk. After executing the uninstall procedure, the user must physically remove these files, such as by dragging the CorreLog root directory to CorreLog FIM, Page - 15

16 the Microsoft Windows Recycle Bin. This extra step safeguards any accidental removal of data on the system. Note: Uninstalling the File Integrity Monitor software will also uninstall the CorreLog Syslog Message Service. If the user wishes to disable the FIM software but leave the Syslog Message Service running, the user should stop and disable the "CorreLog File Integrity Monitor" service on the platform, and leave the "CorreLog Syslog Message Service" operating as normal. CorreLog FIM, Page - 16

17 Section 3: CorreLog FIM Usage At many sites, the entire usage of the CorreLog File Integrity Monitor will consist of installing the program (as discussed in the previous section) and then rarely if ever visiting that installation again. The CorreLog FIM does not require program maintenance, and will not interfere with other system processes. The system configuration file (discussed in the next section of this manual) is ready-to-run and does not require any customization, other than the destination Syslog host supplied by the installation dialog. However, the FIM Agent programs have various capabilities available for general users, documented in this section. Specifically, the CO-Fmon.exe program has a comprehensive configuration file that allows tailoring of the directories and files that are periodically scanned. Additionally, the user can customize various parameters of the agent, can create a new "Image" file for the agent, and can run checks of the system "On Demand". This section provides detailed notes on the FIM tool command line options and application notes suitable for use by administrators and developers wishing to extend the Windows Syslog monitoring capabilities of their organization. The section will be of interest to other users wishing to assess the capabilities of the FIM tools, and Syslog protocol in general. CorreLog FIM, Page - 17

18 The CO-Fmon.exe Program The CO-Fmon.exe program, normally residing in the CorreLog\wintools directory, executes as a single persistent background process, and as a standard Windows service. The program can be seen in the Windows Service Manager, with the name CorreLog File Integrity Monitor. The program can be started and stopped from that location, or can be started and stopped via the net command, with the short name CorreLog File. The program is normally configured in the Windows Service Manager to start automatically when the host platform boots. Users can verify the program is running by finding the CO-Fmon.exe program name in the Windows Task Manager. The destination address for all messages is configured in the CO-Fmon.cnf file, which is in the same directory as the CO-Fmon.exe program. This file MUST exist in that location, and is read whenever the CO-Fmon.exe program starts. A detailed explanation of this configuration file, including all directives that can be included in the file, is provided in the next section of this manual. The CO-Fmon.exe program creates the CO-Fmon.log file in the same directory as the executable program and the configuration file. This log file can contain any errors, and can contain Syslog messages (if so configured). The file is overwritten each time the server starts, and typically has just a very few lines. This log file will not need any maintenance. CO-fmon.img Image File The FMON Agent maintains a baseline of file names and identifiers, generated from the "CO-fmon.cnf" file specification, which is used to detect changes on the system. This "Image File" resides in the "CO-fmon.img" file, in the same directory as the "CO-fmon.exe" and "CO-fmon.cnf" files. The "CO-fmon.img" file is generated on startup and on demand, as well as at other times, described below. On Startup. When the CO-fmon.exe program is first installed and executed, a new Image File is automatically created containing all the files specified in the "CO-fmon.cnf" file. This action occurs only once, and is deferred if any "CO-fmon.img" file already exists on the system. Manually, On Demand. An Image File is generated whenever the user clicks the "Config > Create New Image File" button on the CorreLog Server File Integrity Monitor screen. This permits the user to accept certain changes on the system (such as after a file update for the system, or after installing new software). CorreLog FIM, Page - 18

19 On Configuration Change. If the user uploads a new configuration file to the FMON Agent, a new Image File is automatically generated. (This is necessary to keep the Image File in agreement with the files listed during periodic checks of the system.) Auto-Generation. If the user selects the "Auto Generate Image File" option to be "True" on the "Config" screen of the CorreLog Server File Integrity Monitor screen, then a new Image File is generated each time a check is made on the system, after any Syslog messages are sent. In this mode of operation, a Syslog message is sent only once, when a change is first detected. During normal operation, the system will detect changes to managed files, and send a Syslog message for each file change. This condition will persist until either the list of files is restored to its original state (by adding, deleting, or installing the original file) or until a new Image File is created on the system. CO-fmon.stt Status Change File At periodic intervals, or on demand, the FMON Agent scans the system files specified in the "CO-fmon.cnf" configuration file, and compares this new list to the Image File described above. The FMON Agent will send a Syslog message for each change detected, either file additions, deletions, or changes. The FMON Agent will report a maximum of 50 file changes, and will report a summary message indicating the total number of changes. The list of changes is contained in the "CO-fmon.stt" file, residing in the same directory as the "COfmon.img", "CO-fmon.cnf", and "CO-fmon.exe" files. The status file can be viewed from the CorreLog Server File Integrity Monitor screen, and is generated as described below. On Startup. When the system first starts, if a "CO-fmon.img" file exists on the system (possibly created earlier, as described above) a new Status Change File will be generated. This will report any files that were added immediately prior to the system shutting down, useful for detecting new software installations and reboots. At Scheduled Intervals. The Status Change File is executed at intervals specified by the "Config" screen of the CorreLog File Integrity Monitor screen, either "hourly", "daily", "weekly" or "monthly". On Demand. The Status Change File is generated whenever the user clicks the "Config > Run File Integrity Check Now" button on the CorreLog Server File Integrity Monitor screen. This permits the user to immediately CorreLog FIM, Page - 19

20 test for certain changes on the system (such as after a file update for the system, or after installing new software.) Normally, the system automatically scans for changes, issuing Syslog messages at periodic intervals, with no manual intervention required. The user can run a check on demand, useful for testing the operation of the File Integrity Monitor and the current configuration file. CO-Fmon.exe Command Line Arguments The CO-Fmon.exe program contains various command line options that allow the program to execute at a command prompt. While these command line options are never required, it may facilitate certain user operations, especially in batch files. The various options of the program are as follows: CO-Fmon install The install option causes the program to be installed as the CorreLog File Integrity Monitor" service in the Windows Service Manager. If the service is already installed, no action occurs. This is normally executed by the CO-install.exe program, but can be executed manually to re-install the service. CO-Fmon remove The remove option removes the program from the Windows Service Manager, first stopping the service (as needed.) This is normally executed by the CO-uinstall.exe program, but can be executed manually to uninstall the service. CO-Fmon start The start option starts the CorreLog File Integrity Monitor service, identical to starting the service via the Windows Service Manager, or executing the net start CorreLog File command. If the service is already started, this option has no affect. CO-Fmon stop The stop option stops the CorreLog File Integrity Monitor" service, identical to ending the service via the Windows Service Manager, or executing the net stop CorreLog File command. If the service is already stopped, this option has no affect. CO-Fmon -mode auto manual disable The mode option must be followed by the keyword auto, manual, or disable, and modifies the CorreLog File Integrity Monitor service startup mode, identical to making this modification via the Windows Service Manager. CorreLog FIM, Page - 20

21 CO-Fmon permit The permit option tests the permissions of the user to access the Windows Service Manager. The program displays the status of the permissions, either available or not. CO-Fmon foreground The foreground option executes the CO-fmon.exe program as a foreground process, without the service manager. In addition to sending Syslog messages to the receiver, the program displays any internal error messages or warnings, and additionally displays message to standard output. CO-Fmon generate The generate option is provided mainly for extensibility or system-level debug, and causes the "CO-fmon.img" file to be generated on the system, listing all the files specified in the "CO-fmon.cnf" file. This allows the user to manually generate a new Image File, which serves as the baseline for detecting changes on the system. (See section on the "CO-fmon.img" Image File, above.) CO-Fmon diff The diff option is provided mainly for extensibility or system-level debug, and causes the "CO-fmon.stt" file to be generated on the system, listing all the file changes. The option generates a new listing, compares the listing to the "CO-fmon.img" file, and generates Syslog messages for each change. This allows the user to manually generate a new difference list on the system. CO-Fmon help The help option displays brief help on the above options. Note that the CO-Fmon.exe program MUST be executed with at least one command line argument. One of the above command line arguments is required for interactive usage. If the program is executed with no arguments, the program will either hang, or will exit with no message. (This is the mode of operation used by the Windows Service Manager.) The Rfmconf.exe Utility The CorreLog FIM includes a utility that permits remote configuration changes of the CO-Fmon.exe program. This utility is found in the "system\rfmconf.exe" file location of the main CorreLog Server. The utility permits an administrator (with authentication and security) to remotely change the configuration of the COsysmg.exe program, assisting in the configuration and maintenance of the program. CorreLog FIM, Page - 21

22 The configuration of the CorreLog FIM is discussed in detail within the sections that follow. Although it may not be necessary to ever change the default settings of the CO-Fmon.exe program, it may also be the case that match patterns, log file monitors, and other parameters will need to be maintained, especially during the initial setup and configuration of the system. The Rfmconf.exe program permits the user to download and upload the configuration file from a CO-Fmon.exe program. When uploading changes, the new configuration immediately takes affect within the CO-Fmon.exe program without requiring a restart of the service. Extensive checks and security features are incorporated into the system as detailed within later sections of this manual. Note that the Rfmconf.exe program is agreeable to use within batch files, so that an administrator can easily apply large numbers of changes to an enterprise. Also note that the CorreLog Server itself can effect these changes via the web interface. These remote configuration features are discussed in more detail within a separate section of this manual. Section Summary And Additional Notes 1. The CorreLog File Integrity Monitor Agent monitors file changes, either file additions, file deletions, or file changes. 2. The destination host address is configured in the CO-Fmon.cnf file, which is in the same location as the CO-Fmon.exe program, by default the directory C:\CorreLog\wintools. 3. The CO-Fmon.cnf file MUST exist in the above directory, and specifies a variety of parameters and configuration items detailed in the next section. 4. The CO-Fmon.exe program supports a variety of command line options, including a -foreground option, for running the program in foreground, and for checking the configuration file after edits. CorreLog FIM, Page - 22

23 Section 4: CO-Fmon Config File The CO-Fmon.cnf file contains all the parameters and specifications related to the program s operation. This file is found in the same directory as the CO- Fmon.exe program, by default the C:\CorreLog\wintools\CO-Fmon.cnf file. An example of this file is found in Appendix A of this document. There is no required editing of this file. The installation dialog creates a version of this file that will be adequate for many (and perhaps most) situations. However, if a user wishes to fine tune the parameters of the Syslog messages, or wishes to monitor streaming log files in addition to the Windows Event logs, or needs to change the location of the CorreLog Syslog destination, the file can be edited with a standard text editor, as explained here, or modified via the remote configuration functions as detailed in later sections of this manual. If the configuration file changes via a manual edit, the user must stop the CO- Fmon.exe service and restart the service. Any errors detected while reading the configuration file are logged to the CO-Fmon.log file, in the same directory as the CO-Fmon.exe program and CO-Fmon.cnf file. If the configuration file is changed via a remote configuration operation, no restart of the CO-Fmon.exe program is required. Detailed notes on this file, possibly of interest to administrators or developers, are provided in this section. Note that the information herein is not necessarily required to install and use the CO-Fmon.exe program, but is provided only to support more advanced applications and requirements. CorreLog FIM, Page - 23

24 Configuration Items In addition to specifying the destination address and port number, the configuration file contains a number of other settings that can be used to specify log files (in addition to the Win32 Event Log files), as well as match patterns that set the facility and severities of the various Syslog messages. The file contains the following sections. Destination Address And Port Number. The top of the file contains the destination and port number for Syslog messages. Remote Configuration Parameters. The next section of the file contains information regarding the remote configuration capability of the program, including the type of authentication and optional passkey required to permit remote configuration. Required Parameters. Following the above fields, the user can specify ancillary parameters, such as the severity of messages, and other values. Directory Specifications. Following the Required Parameters section are multiple entries that list all the files and facilities to be monitored. The user can configure multiple directories, and each directory can contain multiple match patterns and exclude patterns. Each of the above items is explained in more detail within the pages that follow. Refer to the end of this section for a printout of the default CO-Fmon.cnf file. Destination Address And Port Number Directives The CO-Fmon.exe program requires two directives, which must be configured in the CO-Fmon.cnf file. The initial configuration of these two directives is performed by the installation procedure, however the user can modify the values after installation to change the destination of Syslog messages. DestinationAddress This directive should be followed by a an IP address, which corresponds to the location of the CorreLog Syslog receiver (typically the IP address of the CorreLog web server.) If this value is invalid, the CO-Fmon program will not send Syslog messages. Destination Port This directive should be an integer number of 514, which is the standard UDP port number used by Syslog. Generally, this value is provided mainly for reference and cannot be easily changed. CorreLog FIM, Page - 24

25 These directives are required at the very top of the file, and cannot be moved to some other section of the file. If there are multiple entries, the last entry recorded in the file for these parameters is used, and the other directives are ignored. Remote Configuration Parameters The CO-Fmon.exe program supports remote configuration directives by the main CorreLog Server, or by the "rfmconf.exe" remote configuration utility. Following the Destination Address and Destination Port directives are a series of optional parameters to support this function. The following three directives are optional. ListenAuthMode This directive specifies the authentication mode used when processing remote requests. The directive is followed by an integer number between 0 and 3 as follows: 0=No authentication; 1=Authentication by source address; 2=Authentication by passkey; 3=Authentication by both source address and passkey. The default value is 3. ListenPassKey This directive is the passkey used with remote configuration when the ListenAuthMode is 2 or 3. The value serves as a simple password. (The corresponding password in the CorreLog Server is found in the System > Parameters tab of the web interface.) ListenPort This directive should be the integer number of 55515, which is the TCP port at which the CO-Fmon.exe program listens for remote requests. Generally, this value is provided mainly for reference and cannot be easily changed. If these three directives are commented out or removed from the configuration file, then remote configuration is disabled and only manual configuration of the CO-Fmon.exe program is permitted. Required Parameters Section Following the Remote Configuration directives are a series of required parameters as follows: Schedule This is the time at which periodic checks are scheduled: if "hourly", then a check is performed at the start of each hour; if "daily", then a check is performed each day at midnight; if "weekly" then a check is performed on Monday morning at midnight; if "monthly" then a check is performed at CorreLog FIM, Page - 25

26 midnight at the start of each month. No other settings are valid. (See the related value below.) SchedDelaySecs This is an integer value that can be used to postpone the scheduled execution of the program by some number of seconds, to permit staggered execution of the program on the network. If the value is greater than the interval selected as the "Schedule", then the value has no effect on the execution. ChangeSeverity This is the severity of messages sent when a file change is detected. The default value is "warning", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a file is changed. AddSeverity This is the severity of messages sent when a new file is detected. The default value is "notice", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a new file is detected. DeleteSeverity This is the severity of messages sent when a file deletion is detected. The default value is "notice", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a file is deleted. AutoGenImage This setting is either "True" or "False". The default value is "True", which means that the "Image File" is regenerated after each check of the system, and only new changes are reported. Setting this value to "False" will cause change messages to be sent until the change is undone, or a new image file is generated manually. If this setting is "True", then the Image File" is replaced with the latest list of files each time that a check is performed (which means that each change is reported once, instead of continuously until a new Image File is created.) UseChecksum This setting is either "True" or "False". The default value is "False", which means that changes are detected to files based upon the file creation date, modification date, and / or file size. When set to "True", file checksums are also generated and compared to detect changes. This value can degrade the speed of checks and increase CPU usage, but provides the most reliable way to detect changes to files. CorreLog FIM, Page - 26

27 PollDelayMsec This setting is a numeric value in the range of 1 to 100, which indicates the number of milliseconds to pause after testing each file on the system. The value can be used to reduce the CPU time consumed by the file checks. The default value is 10 milliseconds, which is adequate for most systems. Increasing this value too high will reduce CPU time, but increase the time to perform file checks. Directory Specifications Following the required parameters section are the directory specifications, which indicate which directories and files are to be monitored. Up to 50 different directories can be specified. By default, the system monitors the "/correlog" and "%SystemRoot%/system32" directories. Each directory on the system is identified along with a series of optional match and exclude patterns, which limit the range of files to be scanned. When a directory is specified, all sub-directories to that directory are also scanned unless the directory names are specifically excluded. The following directives are supported. Directory This directive is followed by the name of a Windows directory, with forward (UNIX style) slashes to delimit subdirectories. Any valid directory can be specified, including the entire disk (such as "C:/" or "D:/"). The pathname can include an environmental variable. All files in the directory, as well as all files in all subdirectories (unless specifically excluded) are scanned. MatchExt This directive must be preceded by the "Directory" directive, and specifies a file extension that must be matched before the file is monitored. By default, the File Monitor includes a number of match extensions such as ".exe", and ".dll", and ".bat". This directive permits the user to specify additional file extensions. (See the "MatchExt" section below.) ExclExt This directive must be preceded by the "Directory" directive. The value specifies a file extension that excludes a filename from monitoring. This furnishes a way of excluding a default pathname. (See the "MatchExt" section below.) MatchPatt This directive is similar to the "MatchExt" directive, except specifies a pattern that must be matched in the pathname before the file is monitored. For example, the value "/private/" will match all files in the path CorreLog FIM, Page - 27

28 "test/private/data". The user can include an arbitrary number of match patterns following each "Directory" directive. ExclPatt This directive is similar to the "ExclExt" directive. The value specifies a pattern that excludes a directory filename from monitoring. For example, the "/temp/" pattern will defer monitoring any file or pathname that contains the "/temp/" keyword. The user can include an arbitrary number of exclude patterns following each "Directory" directive. The "ExclPatt" can include file suffixes, such as "*.log", but more typically includes subdirectory names that are excluded from the monitor. RecursionDepth This optional directive must be preceded by the "Directory" directive, and indicates the maximum number of subdirectories to descend into. If the directory is omitted, the file integrity monitor will descend a maximum of 50 directories deep before stopping. The value is useful for situations such as scanning the C:\ root directory for changes without penetrating deeper into the system (in which case the RecursionDepth is zero.) MonitorMode This optional directive must be preceded by the "Directory" directive. If this directive is included, it modifies the way that file integrity is checked for the related files, overriding any other settings as follows: a value of 1 indicates only the file name is checked; a value of 2 indicates the filename and modify times are checked; a value of 3 indicates that the file name, modify times, and checksum values are checked. The directive can be used to modify the way files are checked. One use for this directive is to permit easy monitoring of the Windows "prefetch" directory files. Modifying the Configuration File The configuration directives are read during startup, and are re-read only if the user uploads a new configuration file to the system, such as via the CorreLog Server File Integrity Monitor screen. When a configuration file is uploaded, this automatically causes a new Image File to be generated based upon the changes to the file. Normally, the configuration file is modified only at the CorreLog Server, using the "File Integrity Monitor" configuration screen. This means that port must be open to the agent. Note that if the configuration file is directly modified on the managed system (such as with a text editor like "notepad") the changes are not read until the next time that the FMON Agent restarts, and no image file is generated. Therefore, the next time that the system starts, the FMON Agent will likely report a large CorreLog FIM, Page - 28

29 number of file additions, deletions, or modifications. In this case, the user should regenerate the image file manually, such as via the "CO-fmon.exe generate" function (described in a previous section.) MatchExt and MatchPatt Directives When scanning files and folders, the "MatchExt" and "MatchPatt" directive limits the files that are scanned and checked. The user can specify an extension (with or without a leading "*" or "." character) using "MatchExt", which limits monitoring to a particular file type. The user can specify any part of a pathname with the "MatchPatt" directive, to match entire pathnames. In addition to the values listed in the "MatchExt" directive, the file integrity monitor also scans and checks for any "*.exe", "*.dll", or other executable file extension (including more arcane extensions such as "*.pif", "*.msi", "*.msp", "*.com", "*.scr", "*.hta", "*.cpl", "*.msc", "*.vb", "*.vbs", "*.ps1", etc.) These default patterns can be listed with a MatchPatt, but are generally not necessary. Any default file extension that is not of interest can be excluded using an "ExclPatt" directive for the target file directory. A complete list of these extensions is available on request from CorreLog. Section Summary And Additional Notes 1. The CorreLog File Integrity Monitor configuration file resides in the same directory as the CO-Fmon.exe executable, and is the CO-Fmon.cnf file. By default, this file is located in the C:\CorreLog\wintools directory. 2. This file is read on Service Startup, and contains the name of the destination host, as well as other directives. 3. The file does not need to be modified, and comes ready-to-run. However, a user can tailor the file with directory names, match specifications, exclude specifications, and other parameters. 4. If the configuration file is manually modified directly on the system, the file is read only on service startup, which means the next time the agent starts there will be a large number of changes reported to CorreLog. The user should manually regenerate the Image File via the "CO-fmon.exe generate" function. 5. The user specifies a directory folder, and the system recursively descends into all subdirectories, checking all files that match the "MatchPatt" and do not match the "ExclPatt". CorreLog FIM, Page - 29

30 6. The optional "RecursionDepth" can be used to limit the depth of the scan for a directory folder. If omitted, up to 50 levels of directories re scanned. To scan just the specified directory, specify a "RecursionDepth" of zero. The best way to learn about the configuration items is to experiment with the file, adding directives, and then possibly running the CO-Fmon.exe program in foreground (using the -foreground option.) With this technique, a user can quickly target specific messages on the system. CorreLog FIM, Page - 30

31 Section 5: Remote Configuration The behavior and operation of the CO-Fmon.exe program is completely driven by its single configuration file, residing in the same directory as the program with a ".cnf" suffix. This configuration file does not necessarily have to be modified or adapted for the enterprise. However, depending on the organizational requirements, it may be necessary to make changes to this file in order to receive particular messages of interest. The user can manually edit this file, and restart the CO-Fmon.exe program (via the Windows "CorreLog File Integrity Monitor", service entry of the service manager.) This requires administrative access to the Windows platform that is hosting the CO-Fmon.exe program, and is the most secure way of implementing this service. As a special facility, configuration files can also be remotely downloaded and uploaded to effect changes in an automated way. This requires various permissions and adaptations described in this section. Specifically, remote configuration capability is limited by the value of the "ListenAuthMode" directive within CO-Fmon.cnf file, which controls and limits remote request via the source address of the client, or via passkey, or both. The default "ListenAuthMode" setting is 3, which requires both a valid passkey, and also the client to be at the same IP address as the destination address. Remote configuration capabilities of the CO-Fmon.exe program permit a high degree of flexibility, security, and maintainability of this program. This section will be of interest to system installers, administrators, and operations personnel. CorreLog FIM, Page - 31

32 Authentication Of Remote Configuration Requests The CO-Fmon.exe program listens for remote configuration requests at TCP port This port number is included in the configuration file for the program, but cannot be easily changed. If this port is busy when the CO-Fmon.exe program starts, or if the "ListenPort" directive is commented out of the file, then no remote configuration is possible and this particular capability of the CO-Fmon.exe program is disabled. Three different modes of operation are possible, as determined by the "ListenAuthMode" setting of the configuration file: Auth Mode 0. Setting the ListenAuthMode to a value of "0" disables authentication of requests. This value should probably never be used except in those very special circumstances where the CO-Fmon.exe program is executing on a detached network where security is not a concern. Auth Mode 1. Setting the ListenAuthMode to a value of "1" causes authentication of remote configuration requests based upon the IP address of the requesting platform. If this auth mode is used, then any remote configuration request to the CO-Fmon.exe program that originates on a platform other than the localhost " " address, or the value of the DestinationAddress directive, is rejected. The requesting program must be at the location that receives the Syslog messages, or on the localhost. Auth Mode 2. Setting the ListenAuthMode to a value of "2" causes authentication of remote configuration requests solely based upon the configured passkey. The value of the "ListenPassKey" value must agree precisely with the value passed to the "rfmconf.exe" program (discussed below) or the value configured at the CorreLog Server platform on the "System > Parms" screen. Initially, both of these passkey values are set to the keystring "Default", so no special configuration is required out-of-box. Auth Mode 3. Setting the ListenAuthMode to a value of "3" causes authentication of remote configuration requests to occur based both on the passkey (used in Auth Mode 2) and the source IP address (used in Auth Mode 1). This is the most secure way of managing the remote configuration process, and is the default out-of-box setting for the CO- Fmon.exe program. The values of "DestinationAddress", "DestinationPort", "ListenAuthMode", "ListenPassKey" and "ListenPort" cannot be change by the remote configuration process. Each of these values can be changed only by manually editing the CO- Fmon.exe configuration file. Attempts to modify any of these values are silently CorreLog FIM, Page - 32

33 bypassed. This enhances security by ensuring that these values can be changed only by remotely logging into the host platform with an administrative login, editing the configuration file manually, and then restarting the CO-Fmon.exe program. PassKey Configuration In some circumstances, the best (or only) type of authentication available will be with Auth Mode 2, which is "passkey" authentication. In particular, using a passkey as the sole authentication will be necessary on networks that are using NAT (Network Address Translation) or if the CorreLog Server is multi-homed, or if tunneling software is being used. In these cases, the destination address for Syslog messages may not be the same as the location of remote configuration requests, making the use of Auth Mode 1 or Auth Mode 3 difficult or impossible. The passkey is simply a text string of 40 characters or less. The value is casesensitive, but can contain any printable characters, including spaces. The value is passed as an argument to the "rfmconf.exe" program (discussed below) and also is configured in the CorreLog Server via the "System > Parms" tab. Because this value is "well-known", it is important to change this value across the enterprise when relying solely on passkey authentication. In general, for extra security, the "passkey" should be used to supplement the source IP address authentication. There is no "downside" to using passkey authentication other than making firewall issues slightly more complex to troubleshoot. The passkey is not transmitted across the network in clear text. The value is encrypted, hence is secure from attack by network sniffers. However, the value is in clear text within the CO-Fmon.cnf file, hence this file should be protected from unauthorized access (such as by limiting access to the host machine.) Remote Configuration Via The CorreLog Web Interface The CorreLog web interface includes special screens to permit users to view the File Integrity Monitor status and configuration, and apply changes to the remote FMON Agent program. The user accesses this screen by first clicking on an IP address hyperlink anywhere within CorreLog, and then clicking the "File Integrity Monitor" In particular, this screen is always two clicks away from any IP address reference on the system. By default, this screen is automatically enabled for any device that is running the standard Windows Agent program. (The screen is similar to the Windows Agent remote configuration screen, but is entirely separate from the Windows Agent screen, and does not interact or affect settings of the Windows Agent program.) CorreLog FIM, Page - 33

34 The File Integrity Monitor Remote Configuration Editor screen is depicted below. Note: To access the above screen, the user may first need to enable remote configuration of the File Integrity Monitor by accessing the "Device Information" screen for the host device. This is accomplished by clicking on the target device hyperlink (found in various locations within CorreLog, in particular in the "Messages > Device" tab.) On the "Device Information" screen, the user can click the "Edit Device Info" hyperlink, and set the values of "Enable Remote Config Editor" and "Enable File Integrity Monitor" to both be "Yes". Both settings are required to access the remote configuration editor depicted above. The top-level screen contains controls that permit viewing of the "Image" file, the list of last changes, as well as direct editing of the configuration file. The screen also provides a "Config" button that allows the user to edit the configuration parameters (discussed later in this section.) CorreLog FIM, Page - 34

35 "Current Status" Indicator The "Remote Configuration Editor" screen includes a "Current Status" field at the upper right of the screen, which indicates the current status of the FIM program, either "Ready", or "Busy". This indicates whether the remote agent is busy scanning the remote file system. The indicator operates as follows: Ready. In a "Ready" state, the user can view file lists via the hyperlinks, and can modify parameters. Additionally, the user can create new image file or can run the check function. Busy. In a "Busy" state, the user cannot view file lists via the hyperlinks and cannot modify parameters, generate a new image file, or run the check function. When "Busy", the "Total File Count" will increment showing the progress of the remote file scan operation. The amount of time spent in the "Busy" state is affected by the number of files being scanned, the schedule of files, and the "PollDelayMsec" setting (accessed via the "Config" button.) On most systems, the "Busy" state will last about one or two minutes each cycle. However, if the number of files being monitored is large, and the "PollDelayMsec" is set too high, the "Busy" state may persist for fifteen minutes or more. In this case, the user should consider reducing the number of files or the "PollDelayMsec" value, or should schedule the system to run once a day (as opposed to hourly.) Remote Configuration Parameters The user can click on the "Config" button of the top-level "File Integrity Monitor" screen to view and modify the various parameters of the remote agent. This screen allows the user to modify the execution schedule, severities of messages, and other parameters. The user can modify these parameters while the FMON Agent is running. Clicking the "Commit" button automatically commits changes to the remote FMON Agent and causes a new "Image File" to be created. As an alternative, the user can also directly edit the configuration file via the "Edit Remote Config" hyperlink on the top-level File Integrity Monitor screen show previously. This permits the user to modify the basic parameters (discussed here) as well as any of the monitored directories, file match patterns, and file exclude patterns. The Remote Configuration Parameters screen is depicted below. CorreLog FIM, Page - 35

36 Note: The user can access the basic parameters of the FMON Agent via the "Config" button, but cannot modify any of the directory specifications, file match patterns, or file exclude patterns. Modification of the directory specifications (as well as all other parameters here) is accomplished only by clicking the "Directly Edit Remote Configuration File" hyperlink. Run File Integrity Check Now. This button causes a file integrity check to be immediately run by the agent. This is useful if the operator wishes to immediately see if any files have been added to the system (rather than waiting for the scheduled execution. Create New File Image. This button causes a new image file to be immediately generated. All changes are reset, and future disk scans will compare the list of files to the new image file. Schedule Checks. This setting controls when file scans occur, corresponding to the "Schedule" directive in the configuration file. The user can set the value to be "hourly", "daily", "weekly", "monthly", or "disabled". The "disabled" setting disables all file checks. CorreLog FIM, Page - 36