Navigating Folder Integrity Monitoring (FIM) Policy Using a Targeted Approach
search cancel

Navigating Folder Integrity Monitoring (FIM) Policy Using a Targeted Approach

book

Article ID: 276158

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

The following article highlights several policy examples for FIM (Folder Integrity Monitoring), including exclusions based on folder name, file name, and extensions.

Environment

Windows
Linux
Unix

Cause

  • Folder and/or file exclusions are not honored in policy.
  • Changes to monitored files and/or directories are not captured.

Resolution

  1. From Java Console.exe under the Detection tab click "Add" from the Detection Policies pane:
  2. From the New Policy Wizard give the detection policy a name, for Operating System select "Windows", and for the Policy Pack select "All".
  3. From the list select "Windows_Template_Policy" and click "Next".
  4. Select "next" and "Finish" on the subsequent window.
  5. Open the newly created policy and click "My Custom Rules".
  6. Click the plus () icon to open the New Custom Control Wizard.
  7. Give the new control a name, for Category select "File Watch" and give the console an Identifier.  
    Note: The Display Name and Identifier, along with the optional Group Tags, are arbitrary values.
  8. Click the Edit[+] option on the newly created rule to open the Settings for the rule.
  9. Note: For this example, we will enable multiple in-depth capabilities that Symantec FIM (folder integrity monitoring) has to offer.  Check the box next to "File Watch Rule Options" and click the Edit[+] option next to the same.
  10. Give values for Rule Name and Severity. 
    For example:
  11. Enable the following options:
    Monitor file creation
    Monitor file deletion
    Monitor file modification
    Monitor file access
    Files to watch
    Files to ignore

    Ensure that "Record Event to SDCSS Console" is also selected.
    For example:
  12. Click the Edit[+] option next to "Files to watch" and click "Add", for the Value enter a path to a monitored folder or file. 
    In this example we will monitor a user's desktop:

    Note: * (asterisk) is wildcard, for folder contents monitoring this is not required.

  13. Click okay to commit the Value to the List of Files to Watch.
    For example: 


  14. Click the Edit[+] button next to the "Files to ignore" and enter either the direct path to a file or folder to be ignored.  For this example we will ignore any *.txt files located in a folder named "ignore_extensions"  ,and *.ini files wherever they be within the "C:\Users\testuser\Desktop" folder.
    For example:

  15. Click OK to save the changes to the Policy.
  16. Lastly, open the UMC (Unified Management Console) also known as the Web Console and assign this Policy to a test Security Group, and assign an Asset thereto.
  17. From the UMC navigate to the "Server" page by clicking on the "Unified Management Console" drop-down and selecting "Server".
  18. From this DCS Server page navigate to Security Groups.
  19. Click the + icon to create a new Security Group.
    Note: Alternatively, you may use an existing Security Group, for this example a new Security Group will be added.
  20. Enter any given name and category for the Security Group, for the Detection Policies section, select the newly created policy from the list.  
    Note: For this example all the default Common, Prevention and Detection parameters will be selected, along with a null Prevention policy.  Adapt this to your needs:
  21. Click "Save and Reapply".
  22. Go to Assets (at the top) and navigate to a test Asset, select and click "Assign Security Group". 
  23. Select the security group from the drop-down list and click "Done".