File Integrity Monitoring

12 min read

 Configure the FIM module 

Any time the FIM module runs a scan, it triggers alerts if it finds modified files and depending on the changed file attributes. You can view these alerts in the Argus dashboard. 

Following, you can see how to configure the FIM module to monitor a file and directory. Replace <FILEPATH_OF_MONITORED_FILE> and <FILEPATH_OF_MONITORED_DIRECTORY> with your own filepaths. 

  1. Add the following settings to the Argus agent configuration file, replacing the directories values with your own filepaths: 
  • Linux: /var/ossec/etc/ossec.conf 
  • Windows: C:\Program Files (x86)\ossec-agent\ossec.conf 
  • macOS: /Library/Ossec/etc/ossec.conf 

<syscheck> 

    <directories><FILEPATH_OF_MONITORED_FILE></directories> 

    <directories><FILEPATH_OF_MONITORED_DIRECTORY></directories> 

</syscheck> 

  1. Restart the Argus agent with administrator privilege to apply any configuration change: 
  • Linux: systemctl restart Argus-agent 
  • Windows: Restart-Service -Name Argus 
  • macOS: /Library/Ossec/bin/Argus-control restart 

 Use cases 

Argus FIM module monitors directories to detect file changes, additions and deletions. This module is useful for monitoring important files on endpoints. You can use the FIM module for several purposes such as change management processes, regulatory compliance, and detecting cyberattacks. Below are examples of some use cases of the Argus FIM module. 

  • Detecting malware persistence technique 
  • Detecting account manipulation 
  • Monitoring files at specific intervals 
  • Reporting file changes 
  • Monitoring configuration changes 

Detecting Malware Persistence Technique  

Adversaries can establish persistence by placing a malicious script or program in the Windows startup folder, which automatically executes whenever a user logs in to the system. By using the Argus FIM module to monitor the startup folder, you can detect any suspicious or unauthorized programs that may have been added, enabling you to take corrective action to eliminate them before they can compromise your endpoint.  

Configuration 

Argus monitors the startup folder automatically without requiring any user action. By default, the Argus configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup folder: 

<syscheck> 
  <directories realtime=”yes”>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories> 
</syscheck> 

Detecting account manipulation 

Account manipulation involves the creation, modification, or deletion of user accounts or credentials within an organization’s IT environment. Monitoring these activities is essential for maintaining cybersecurity, as unauthorized account changes can provide attackers with access to sensitive systems and data. 

To maintain persistence on a victim endpoint, adversaries can alter the SSH authorized_keys file in Linux. The .ssh directory within a user home directory holds this file. For example, for a user named smith, you can find the authorized_keys file located at /home/smith/.ssh/authorized_keys. This file defines the public keys this user uses to login into some of their accounts. Each line in the file represents a single public key. 

You can configure the Argus FIM module to monitor the authorized_keys file. This triggers an alert whenever a user or process modifies the public keys in the file. Detecting the modification of the SSH keys allows you to take action before a system compromise occurs. 

Configuration 

Perform the following steps to configure the FIM module to monitor SSH key modification. 

  1. Edit the /var/ossec/etc/ossec.conf configuration file and add authorized_keys for monitoring: 

<syscheck> 

  <directories whodata=”yes”>/home/*/.ssh/authorized_keys</directories> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration: 

systemctl restart Argus-agent 

Monitoring files at specific intervals 

Compliance with regulatory standards and laws, such as PCI DSS, requires monitoring access and detecting changes to: 

  • Critical files 
  • Configuration files 
  • Content files 

This is important for protecting an organization’s critical assets and data and detecting potential security breaches. 

You can run scheduled scans with the FIM module to detect file modifications. In this example, the file is user_details.txt, and you schedule FIM to scan the file every 5 minutes. 

Configuration 

Perform the following steps to configure the FIM module to monitor a user_details.txt file every 5 minutes. 

  1. Create a text file user_details.txt and save it in the Documents directory. 
  1. Edit the Argus agent /var/ossec/etc/ossec.conf configuration file and add the user_details.txt file for monitoring: 

<syscheck> 

  <frequency>300</frequency> 

  <directories>/Users/*/Documents/user_details.txt</directories> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration: 

/Library/Ossec/bin/Argus-control restart 

Reporting file changes 

The functionality to report changes made to a file allows you to confirm the implementation of changes to an application or system. For example, if you change an application configuration file, the FIM capability reports the specific changes made to the file and shows the state before and after the change. 

Having a record of file changes might be useful for troubleshooting issues or for auditing purposes. By providing visibility into file changes, the FIM capability plays a crucial role in effective change management. 

Configuration 

Perform the following steps to configure the FIM module to report changes made to a file. The configuration reports changes made to files in /appfolder except for the private-file.conf file. 

  1. Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below. This sets /appfolder for monitoring and makes an exception in reporting changes for /appfolder/private-file.conf using nodiff: 

<syscheck> 

  <directories realtime=”yes” report_changes=”yes”>/appfolder</directories> 

  <nodiff>/appfolder/private-file.conf</nodiff> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration changes: 

systemctl restart Argus-agent 

Monitoring configuration changes 

Tracking configuration changes establishes accountability by linking modifications to specific systems and applications to the individuals responsible. By maintaining a detailed record of changes and the personnel involved, organizations can ensure that all alterations are properly authorized and documented. 

You can configure the FIM module to monitor configuration files and report any changes. The Argus FIM module uses the whodata and report_changes attributes to record the following information about such changes: 

  • The login user that made the changes 
  • The time of the changes. 
  • The process that the user executed. 
  • The changes made to the file. 

Configuration 

Perform the following steps to configure the FIM module to monitor the /etc/app.conf file and report changes. 

  1. Create a file app.conf in the /etc directory: 

touch /etc/app.conf 

  1. Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below: 

<syscheck> 

  <directories check_all=”yes” report_changes=”yes”whodata=”yes”>/etc/app.conf</directories> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration changes: 

systemctl restart Argus-agent 

Windows Registry monitoring 

The Windows Registry is a critical component of the operating system, serving as a database that holds configuration details for software and hardware installed on Microsoft Windows. When a new program is installed, Windows creates a subkey in the registry that contains information such as the program’s location, version, and startup instructions. 

Unauthorized or unexpected changes to the registry can lead to system instability, application malfunctions, or security vulnerabilities. Attackers may alter registry keys to run malicious code or maintain persistence on the system. Legitimate software updates may also modify registry settings, making it crucial to monitor these changes to ensure system stability and security. 

The Argus FIM module periodically scans the Windows Registry and generates an alert whenever it detects any modifications. 

Configuration 

To configure the FIM module, it’s necessary to specify the registry keys that FIM must monitor for creation, modification, and deletion. You can do this similarly to how you list directories and files, but using the label <windows_registry> instead. 

You can use * and? wildcards when configuring Windows registry keys. Use them in the same way you would in a shell or Windows command prompt (cmd) terminal for listing files. For example: 

<syscheck> 

  <windows_registry arch=”both”>HKEY_LOCAL_MACHINE\SOFTWARE\*</windows_registry> 

  <windows_registry arch=”both”>HKEY_CURRENT_CONFIG\S?????</windows_registry> 

  <windows_registry arch=”both”>HKEY_USERS\S-?-?-??\*</windows_registry> 

</syscheck> 

The FIM module supports several configuration options for monitoring Windows Registry entries. For example, you can enable all the basic checks with the check_all attribute, or find the information about the specific change made to a registry entry with the report_changes attribute. 

In this guide, you can see different configuration options that you can apply to monitor the Windows Registry. 

Record Windows Registry attributes 

You can specify the Windows Registry keys to monitor using the windows_registry option. This option supports several attributes. This section explains the following attributes. 

  • check_all: The allowed values for the check_all attribute are yes and no. This option is enabled by default. Records: 
  1.  File size 
  1. Last modification date 
  1. MD5, SHA1, and SHA256 hash sums 
  • check_sum: Records the MD5, SHA1, and SHA256 hashes of the Windows Registry values. The allowed values for the check_sum attribute are yes and no. 
  • check_mtime: The check_mtime attribute allows the FIM module to record the modification time of the Windows Registry keys and values. The allowed values for the check_mtime attribute are yes and no. 

Follow these steps to configure the FIM module with the following settings: 

  • Record last modification date and all the file hashes of the 

HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey1 registry key. 

  • Disable the recording of file hashes (MD5, SHA1, and SHA256) of the 

HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey2 registry key. 

  • Disable the recording of the modification time of the HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey3 registry key. 
  1. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file: 

<syscheck> 

  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey1</windows_registry> 

 <windows_registrycheck_sum=”no”>HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey2</windows_registry> 

 <windows_registry>check_mtime=”no”>HKEY_LOCAL_MACHINE\Software\Classes\batfile\TestKey3</windows_registry> 

</syscheck> 

  1. After configuring these attributes, restart the Argus agent using PowerShell with administrator privileges to apply the changes: 

Restart-Service -Name Argus 

Restart-Service -Name Argus 

You can configure the maximum recursion level allowed for a Windows Registry entity with the recursion_level attribute of the windows_registry option. The allowed values for this attribute are any integer between 0 and 512. 

Follow these steps to set the recursion_level of HKEY_LOCAL_MACHINE\SYSTEM\Setup to 3. 

  1. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and add the configuration below: 

<syscheck> 

 <windows_registry recursion_level=”3″>HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry> 

</syscheck> 

  1. After setting the recursion level, restart the Argus agent to apply the configuration: 

Restart-Service -Name Argus 

When using the following registry structure and recursion_level=”3″, FIM generates alerts for Subkey_3 and all registry subkeys or values up to HKEY_LOCAL_MACHINE\SYSTEM\Setup\level_1\level_2\level_3\ but not for any registry subkeys or values deeper than level_3. 

HKEY_LOCAL_MACHINE\SYSTEM\Setup 

├── Subkey_0 

└── level_1 

    ├── Subkey_1 

    └── level_2 

        ├── Subkey_2 

        └── level_3 

            ├── Subkey_3 

            └── level_4 

                ├── Subkey_4 

                └── level_5 

                    └── Subkey_5 

To disable the recursion and generate alerts only for the registry values in the monitored registry, you need to set the recursion_level value to 0. 

Reporting changes in registry values 

To report the exact content changed in a Windows Registry value, you can configure the FIM module with the report_changes attribute of the windows_registry option. The allowed values are yes and no and the supported registry value types are: 

  • REG_SZ 
  • REG_MULTI_SZ 
  • REG_DWORD 
  • REG_DWORD_BIG_ENDIAN 

You must use the report_changes attribute with caution. Argus copies every single monitored file to a C:\Program Files (x86)\ossec-agent\queue\diff\registry and this increases storage usage. 

Follow these steps to configure the FIM module to report changes made to HKEY_LOCAL_MACHINE\SYSTEM\Setup key. 

  1. Create a subkey Custom Key under the HKEY_LOCAL_MACHINE\SYSTEM\Setup registry key. 
  1. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file and add the configuration below: 

<syscheck> 

  <frequency>300</frequency> 

  <windows_registry  report_changes=”yes”>HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration: 

Restart-Service -Name Argus 

  1. Modify the Custom Key subkey and add a new string value FIM and data cmd. 
  1. Wait for 5 minutes which is the time configured for the FIM scan. 

Adding exclusions 

You can configure the FIM module to ignore certain Windows Registry keys with the registry_ignore option. It allows declaring only a single Windows Registry entry. However, you can specify multiple lines to declare multiple registry entries 

Follow these steps to configure the FIM module to ignore the HKEY_LOCAL_MACHINE\Security\Policy and any Windows Registry entry that matches the simple regex pattern \Enum$ from FIM results. 

  1. Add this configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf configuration file of the Argus agent: 

<syscheck> 

 <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> 

  <registry_ignore type=”sregex”>\Enum$</registry_ignore> 

</syscheck> 

  1. Restart the Argus agent to apply the configuration: 

Restart-Service -Name Argus 

Use case: Detect malware persistence in Windows Registry 

Malware persistence in the Windows Registry is a tactic used by attackers to ensure that their malicious programs are executed each time the system starts or reboots. This is typically achieved by adding the malicious programs to the “Run” or “RunOnce” keys in the Registry. 

Using the Argus FIM module, you can identify any suspicious or unauthorized entries in these startup registry keys, enabling you to take swift action to remove them before they can harm your system. 

Configuration 

Argus monitors the startup registry keys automatically, out-of-the-box, without requiring any user special action or configuration. By default, the Argus agent configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf uses the following setting to monitor the startup registry keys: 

<syscheck> 

  <frequency>300</frequency> 

  <windows_registry arch=”both”>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> 

  <windows_registry arch=”both”>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> 

</syscheck> 

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *