How to configure File Integrity Monitoring on BOSH Director
Article ID: 293629
Updated On:
Products
Operations Manager
Issue/Introduction
After installing File Integrity Monitoring (FIM) on the BOSH Director based on the installation steps described in the docs, you see FIM is configured with the following settings by default in /var/vcap/jobs/fim/filesnitch.conf as below.
This article introduces how to configure File Integrity Monitoring on BOSH Director.
{
"dirs": ["/boot/grub", "/root", "/bin", "/etc", "/lib", "/lib32", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib", "/var/vcap/bosh", "/var/vcap/monit/job", "/var/vcap/data/packages", "/var/vcap/data/jobs"],
"outputs": ["syslog"],
"format": "CEF:0|cloud_foundry|fim|1.0.0|{{.OpType}}|file integrity monitoring event|{{.Severity}}| {{.KeyValues}}",
"digests": [],
"digest_threshold": 10000000,
"hostname": "bosh/0",
"ignored_patterns": ["^/etc/passwd.+$", "^/etc/shadow.+$", "^/etc/subgid.+$", "^/etc/subuid.+$", "^/etc/group.+$", "^/etc/gshadow.+$", "^/etc/hosts.+$", "^/var/vcap/bosh/log/.+$", "^/var/lib/logrotate/status.*$"],
"low_severity_patterns": ["^/etc/passwd$", "^/etc/shadow$", "^/etc/subgid$", "^/etc/subuid$", "^/etc/group$", "^/etc/gshadow$", "^/etc/hosts$", "^/etc/mtab$", "^/var/lib/dhcp/dhclient.eth\\d+.leases$", "^/var/vcap/bosh/settings.json$", "^/var/vcap/data/jobs$", "^/var/vcap/data/packages$"],
"heartbeat_interval": 600
}
You may want to modify this configuration on the BOSH Director but this is not synced up with the FIM tile configuration and you have to modify this configuration separately from the FIM tile configuration.This article introduces how to configure File Integrity Monitoring on BOSH Director.
Environment
Product Version: 2.0
Resolution
You have to re-install FIM on BOSH Director with the modified configuration.
First of all, you have to delete the existing installation with the following om command line, described in the docs:
If you can successfully delete FIM from the BOSH Director, then you get a "204 No Content" response.
If you forgot FIM-GUID required for the above DELETE command, you can extract it from "guid" section via the response with the following om command line.
Finally, you need to re-install FIM on the BOSH Director with the modified configuration with the following om command line:
As you can see, you just paste modified configuration derived from the filesnitch.conf file within "job_properties": { "fim": { } } section.
You can add properties only with which you want to modify as below:
After that, you execute Apply Changes with BOSH Director, then the above modification is reflected with FIM on the BOSH Director.
First of all, you have to delete the existing installation with the following om command line, described in the docs:
om \ -k \ -t OPS-MANAGER-URL \ -u OPS-MANAGER-USERNAME \ -p OPS-MANAGER-PASSWORD \ curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group/FIM-GUID" \ -x DELETE
If you can successfully delete FIM from the BOSH Director, then you get a "204 No Content" response.
If you forgot FIM-GUID required for the above DELETE command, you can extract it from "guid" section via the response with the following om command line.
om \ -k \ -t OPS-MANAGER-URL \ -u OPS-MANAGER-USERNAME \ -p OPS-MANAGER-PASSWORD \ curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group" \ -x GET
Finally, you need to re-install FIM on the BOSH Director with the modified configuration with the following om command line:
om \
-k \
-t OPS-MANAGER-URL \
-u OPS-MANAGER-USERNAME \
-p OPS-MANAGER-PASSWORD \
curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group" \
-x POST \
-H "Content-Type: application/json" \
-d '{
"add_job_to_instance_group": {
"instance_group": "bosh",
"job_name": "fim",
"release_name": "fim",
"release_url": "http://localhost:7070/fim-2.0.0.tgz",
"release_sha1": "4*e*d5bdedb05**9eda1d5f6*4*9*f*a846eb*22",
"job_properties": { "fim":
{
"dirs": ["/boot/grub", "/root", "/bin", "/etc", "/lib", "/lib32", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib", "/var/vcap/bosh", "/var/vcap/monit/job", "/var/vcap/data/packages", "/var/vcap/data/jobs", "/home/bbr"],
"outputs": ["stdout"],
"format": "CEF:0|vmware_tanzu|fim|1.0.0|{{.OpType}}|file integrity monitoring event|{{.Severity}}| {{.KeyValues}}",
"digests": [],
"digest_threshold": 10000000,
"hostname": "bosh/0",
"ignored_patterns": ["^/etc/passwd.+$", "^/etc/shadow.+$", "^/etc/subgid.+$", "^/etc/subuid.+$", "^/etc/group.+$", "^/etc/gshadow.+$", "^/etc/hosts.+$", "^/var/vcap/bosh/log/.+$", "^/var/lib/logrotate/status.*$"],
"low_severity_patterns": ["^/etc/passwd$", "^/etc/shadow$", "^/etc/subgid$", "^/etc/subuid$", "^/etc/group$", "^/etc/gshadow$", "^/etc/hosts$", "^/etc/mtab$", "^/var/lib/dhcp/dhclient.eth\\d+.leases$", "^/var/vcap/bosh/settings.json$", "^/var/vcap/data/jobs$", "^/var/vcap/data/packages$"],
"heartbeat_interval": 900
}
}
}
}'
As you can see, you just paste modified configuration derived from the filesnitch.conf file within "job_properties": { "fim": { } } section.
You can add properties only with which you want to modify as below:
om \
-k \
-t OPS-MANAGER-URL \
-u OPS-MANAGER-USERNAME \
-p OPS-MANAGER-PASSWORD \
curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group" \
-x POST \
-H "Content-Type: application/json" \
-d '{
"add_job_to_instance_group": {
"instance_group": "bosh",
"job_name": "fim",
"release_name": "fim",
"release_url": "http://localhost:7070/fim-2.0.0.tgz",
"release_sha1": "4*e*d5bdedb05**9eda1d5f6*4*9*f*a846eb*22",
"job_properties": { "fim":
{
"outputs": ["stdout"]
}
}
}
}'
After that, you execute Apply Changes with BOSH Director, then the above modification is reflected with FIM on the BOSH Director.
Feedback
Yes
No
Powered by
