Navigating Folder Integrity Monitoring (FIM) Policy Using a Targeted Approach
book
Article ID: 276158
calendar_today
Updated On:
Products
Data Center Security Server Advanced
Issue/Introduction
The following article highlights several policy examples for FIM (Folder Integrity Monitoring), including exclusions based on folder name, file name, and extensions.
Environment
Windows Linux Unix
Cause
Folder and/or file exclusions are not honored in policy.
Changes to monitored files and/or directories are not captured.
Resolution
From Java Console.exe under the Detection tab click "Add" from the Detection Policies pane:
From the New Policy Wizard give the detection policy a name, for Operating System select "Windows", and for the Policy Pack select "All".
From the list select "Windows_Template_Policy" and click "Next".
Select "next" and "Finish" on the subsequent window.
Open the newly created policy and click "My Custom Rules".
Click the plus () icon to open the New Custom Control Wizard.
Give the new control a name, for Category select "File Watch" and give the console an Identifier. Note: The Display Name and Identifier, along with the optional Group Tags, are arbitrary values.
Click the Edit[+] option on the newly created rule to open the Settings for the rule.
Note: For this example, we will enable multiple in-depth capabilities that Symantec FIM (folder integrity monitoring) has to offer. Check the box next to "File Watch Rule Options" and click the Edit[+] option next to the same.
Give values for Rule Name and Severity. For example:
Enable the following options: Monitor file creation Monitor file deletion Monitor file modification Monitor file access Files to watch Files to ignore
Ensure that "Record Event to SDCSS Console" is also selected. For example:
Click the Edit[+] option next to "Files to watch" and click "Add", for the Value enter a path to a monitored folder or file. In this example we will monitor a user's desktop:
Note: * (asterisk) is wildcard, for folder contents monitoring this is not required.
Click okay to commit the Value to the List of Files to Watch. For example:
Click the Edit[+] button next to the "Files to ignore" and enter either the direct path to a file or folder to be ignored. For this example we will ignore any *.txt files located in a folder named "ignore_extensions" ,and *.ini files wherever they be within the "C:\Users\testuser\Desktop" folder. For example:
Click OK to save the changes to the Policy.
Lastly, open the UMC (Unified Management Console) also known as the Web Console and assign this Policy to a test Security Group, and assign an Asset thereto.
From the UMC navigate to the "Server" page by clicking on the "Unified Management Console" drop-down and selecting "Server".
From this DCS Server page navigate to Security Groups.
Click the + icon to create a new Security Group. Note: Alternatively, you may use an existing Security Group, for this example a new Security Group will be added.
Enter any given name and category for the Security Group, for the Detection Policies section, select the newly created policy from the list. Note: For this example all the default Common, Prevention and Detection parameters will be selected, along with a null Prevention policy. Adapt this to your needs:
Click "Save and Reapply".
Go to Assets (at the top) and navigate to a test Asset, select and click "Assign Security Group".
Select the security group from the drop-down list and click "Done".