Create File Integrity Monitor Policies
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
You can create new FIM policies using the File Integrity Monitor Policy Manager. The LogRhythm deployment also includes default policy templates for each supported operating system. These templates are examples of policies that can be created. Using them without modifying them to fit your specific needs is not recommended. For more information, see Modify File Integrity Monitor Policies.
- On the main toolbar, click Deployment Manager.
On the Tools menu, click Administration, and then click File Integrity Monitor Policy Manager.
On the File menu, click New.
The File Integrity Monitor Policy Properties window appears.Enter a policy name and description.
Right-click in the Monitoring Configurations grid, and then click New.
Enter a configuration name.
Select the configuration properties you want.
Field/Button Description Name The name of the configuration. It must be unique. Enable Start/Stop Time Select the check box to set monitoring to start and stop at the time specified every day. Start Time Select the hour and minute that monitoring should start each day. This field cannot be edited unless the Enable Start/Stop Time check box is selected. Stop Time Select the hour and minute that monitoring should stop each day. This field cannot be edited unless the Enable Start/Stop Time check box is selected. Interval Set the frequency, in minutes, of the monitoring interval. Range is 1 - 10080 minutes. Max Hashed File Bytes Set the maximum file size, in kilobytes, that FIM reviews for changes. If the files being monitored are over 1MB, using this value can save time by specifying how much of each file to view. For example, if Max Hashed File Bytes is set to 1024, only the first 1024 KBytes of the file will be checked for changes. Max Depth Applies only when the monitored item is a directory and controls the number of subdirectories the monitor descends to detect changes. Max Depth specifies how many subdirectories below a monitored directory to look for FIM events.
EXAMPLE
- The monitored directory is C:\DirA
- The Max Depth =2
- Host directory structure is C:\DirA\DirB\DirC
The Agent travels two directories below C:\DirA looking for FIM events. Files in:
C:\DirA are at depth 0
C:\DirA\DirB are at depth 1
C:\DirA\DirB\DirC are at depth 2
Monitoring Flags Indicates when FIM logs are generated:Read. Monitored item is read. This option may generate a large number of logs.
Modify. Monitored item is modified.
When FIM is monitoring for Modify events, the HashEqualAnomalyEvent is generated if a monitored file is modified and the file's hash value is unchanged.
Permissions. Permissions are changed on a monitored item.
Add. Item is added to the monitored directory. The Add option cannot be disabled.
Delete. Monitored item is deleted. The Delete option cannot be disabled.
OK Saves the record, closes the window, and displays the record in the File Integrity Monitor Policy Manager grid Cancel Cancels the process, closes the window, and does not create the record. - Click OK.
- Right-click the Monitored Items grid, and then click New.
Select the configuration properties you want.
Field/Button Description Type
Select File or Directory
Path
Specify the path of the directory or the location and file name of the file to monitor. Cannot include a wildcard.
Configuration
Select from the monitoring configurations created for this policy.
Inclusions
A comma-separated list of files and directories to include in monitoring. If nothing is specified, all files and directories are monitored. Applies only to directories to define what is monitored and triggers FIM logs.
To determine your inclusions:
Identify the files and directories that should be monitored within your network. LogRhythm supports file names and directory paths up to approximately 32,000 characters in length.
File Integrity Monitor is not suitable for use on large directories with thousands of files that are modified frequently. It is intended for monitoring operating system files and other limited, critical files. Enabling FIM on directories with tens of GB of data results in poor performance. The default policies, shown in the templates in the FIM Policy Manager, are limited to Windows system files, which are fairly static.- Determine which changes are important to monitor for files:
READ. When a file is accessed.
The File Integrity Monitor does not always capture Read events on monitored files for Windows 2008 R2, Vista, or Windows 2003 ServerMODIFY. When a file is edited.
PERMISSIONS:
For Windows, when a file owner, group, or ACL changes.
For UNIX, when a file owner is changed or file permissions are changed.
DELETE. When a file is deleted. This setting is automatic and cannot be canceled.
Determine which changes are important to monitor for directories:
PERMISSIONS:
For Windows, when a directory has an owner change or when a file within the directory has an owner change.
For UNIX, when a directory has an owner or permissions change or a file within a directory has an owner or permissions change.
DELETE. When a file is deleted from a directory. The setting is automatic and cannot be canceled.
ADD. When a file is added to a directory. This setting is automatic and cannot be canceled.
If you are running Windows 2008 or Windows 2008 R2 and want to monitor the C:\Documents and Settings directory, changes are not seen because it is a junction point to C:\Users. Instead, enter the folder C:\Users when setting up the directory monitoring.
If you want to monitor a type of file created by an application that creates temporary files (such as Microsoft Word documents .docx), you need to monitor the parent directory of the modified file directory instead of the specific file type.
Exclusions
A comma-separated list of files and directories to include in monitoring. Applies only to directories to define what is monitored and triggers FIM logs. If both include and exclude filters are specified, only include files that match the include filter and not matching the exclude filter.
Exclusions take precedence over Inclusions. If you mistakenly put the same file type in both categories, the file type is excluded from the monitoring process.
It is important to identify resource-taxing FIM objects and create exclusions for them. For example, you want to identify automated scripting objects that are constantly changing.
For more information, see Create Inclusions and Exclusions for FIM.
OK
Saves the record, closes the window, and displays the record in the File Integrity Monitor Policy Manager grid
Cancel
Cancels the process, closes the window, and does not create the record.
- Click OK.