Data Center Security IDS file integrity monitoring events generated as polling rather than real time events.

book

Article ID: 169540

calendar_today

Updated On:

Products

Data Center Security Monitoring Edition Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

With real time file integrity monitoring enabled (RTFIM), after reboot of DCS agent, IDS FIM (file integrity monitoring) events are being generated as polling, rather than real time events for a short time.

Users see "missing" file modification data in the event that is generated. 

User will see polling events, similar to the event below for any modifications to files before the IDS service has completely initialzed. This occurs after an agent reboot: "P" indicates a polling event, "M" indicates a file modification event)

DFWU,12,2017-05-22 03:56:12.000 Z+0530,W,59,R,c93dfb5e6c52d6b913bcea4ad74863a3,FileWatch_Changes_Sys_Core_Configuration_Files,FileWatch_Sys_Core_Configuration_Files,,,,,,P,/etc/rsyslog.conf,M,,,,,,,,2017-05-22 09:23:51,2017-05-22 09:25:59,2017-05-22 09:23:53,2017-05-22 09:26:01,,,,,2,2,,,,,,,,,,,

User expects to see similar info to the real time event example below: ("R" indicates real time event): 

DFWU,15,2017-05-22 03:57:12.000 Z+0530,W,59,R,c93dfb5e6c52d6b913bcea4ad74863a3,FileWatch_Changes_Sys_Core_Configuration_Files,FileWatch_Sys_Core_Configuration_Files,,root,,/usr/bin/bash,23121,R,/etc/rsyslog.conf,M,,,3359,3362,,,,2017-05-22 09:25:59,2017-05-22 09:27:12,,,,,,,2,2,,,,,,,,,,,

Cause

IDS services should be initialized as follows in order for file integrity monitoring to generate real time file modifications events with realtime file info such as users, and what modification was performed on the file in question: 

MSTD,15,2017-05-22 03:55:56.000 Z+0530,I,0,R,,,IA_0024,,,,Main Module,,,,,IA_0024,,,,IA_0024: Symantec IDS Service is stopping

MSTD,1,2017-05-22 03:55:59.000 Z+0530,I,0,R,,,IA_0023,,,,Main Module,,,,,IA_0023,,,,IA_0023: Symantec IDS Service has started

MSTD,2,2017-05-22 03:55:59.000 Z+0530,I,0,R,,,FWC_0028,,,,Filewatch Collector,,,,,FWC_0028,,,,FWC_0028: Real-Time File Integrity Monitoring successfully initialized.

In DCS, polling file integrity monitoring does not monitor real time event data. Polling is the act of checking critical system files at designated intervals. Polling is accomplished by calculating file attributes, which are compared to a preexisting or "baseline" scan of critical system files, and events are generated if any differences between the two are seen. In DCS, filewatch.dat is used to watch for changes made during the reboot sequence or anytime the IDS service is stopped, those events will also be generated as polling events. 

Polling events show that the file was modified, but because DCS is not checking for real time file information when doing polling file integrity monitoring, sometimes users will see these events as "missing" information, such as which user modified the file, what was modified, etc. This is working as designed.  

Here is an example of what a file modification event will look like before IDS service is fully initialized. Note: User and file modification information are not provided by default in polling mode. 

DFWU,12,2017-05-22 03:56:12.000 Z+0530,W,59,R,c93dfb5e6c52d6b913bcea4ad74863a3,FileWatch_Changes_Sys_Core_Configuration_Files,FileWatch_Sys_Core_Configuration_Files,,,,,,P,/etc/rsyslog.conf,M,,,,,,,,2017-05-22 09:23:51,2017-05-22 09:25:59,2017-05-22 09:23:53,2017-05-22 09:26:01,,,,,2,2,,,,,,,,,,,

Here is an example of data that a realtime event will show for the same file after IDS services are completely initialized. 

DFWU,50,2017-05-17 09:12:08.000 Z-0400,W,59,R,39b2741cff91816400fa7787ddfd2c8a,FileWatch_Changes_Sys_Core_Configuration_Files,FileWatch_Sys_Core_Configuration_Files,,root,,/usr/bin/vi,32430,R,/etc/resolv.conf,M,,,,,,,,2017-05-17 05:10:20,2017-05-17 05:12:08,2017-05-17 05:10:20,2017-05-17 05:12:08,,,,,2,2,,,,,,,,,,,

 

Environment

IDS on all DCS agent versions. 

Pertains to:

Windows Baseline Detction Policy

Unix Baseline Detection Policy 

Resolution

After agent reboot, allow IDS service to fully initialize before modifying files as seen below: 

MSTD,15,2017-05-22 03:55:56.000 Z+0530,I,0,R,,,IA_0024,,,,Main Module,,,,,IA_0024,,,,IA_0024: Symantec IDS Service is stopping

MSTD,1,2017-05-22 03:55:59.000 Z+0530,I,0,R,,,IA_0023,,,,Main Module,,,,,IA_0023,,,,IA_0023: Symantec IDS Service has started

MSTD,2,2017-05-22 03:55:59.000 Z+0530,I,0,R,,,FWC_0028,,,,Filewatch Collector,,,,,FWC_0028,,,,FWC_0028: Real-Time File Integrity Monitoring successfully initialized.