What to watch with your FIM?
A few days ago, one of our readers posted a message in the general discussion forum about FIM (“File Integrity Management”) and, more precisely, which files/directories to monitor. Just a brief introduction for those who are not aware of File Integrity Monitoring: It's a security control that helps to validate the integrity of files present on a file system using a baseline of this system. The comparison with the baseline relies on file hashes but not only. Other file attributes can be monitored: the owner, access rights or the last modification time are good examples.
This control is implemented via processes and enforced with tools. Like most of information security tools, it's just… a dumb tool! The challenge is to configure it in the right way to increase your chances to detect a malicious activity. Available tools are delivered with baselines for standard environments but must be fine tuned to match your own requirements. I think that it’s a good idea to share and discuss some ideas on this topic: What do you monitor with your FIM?
Basically, they are two types of data that you can watch:
- “System” files - They will help you to detect if a server is compromised, if its configuration has been changed or if users are performing dangerous activities (like copying files or installing applications).
- “Data” files - Those are the files used by your “business".
In the second case, it’s impossible to build a list of interesting files. They depend on your business. Here are some examples where a FIM might be helpful:
- Logging changes on source repository (to track the developers tasks)
- Logging changes on sensitive department shares (HR, accounting, …)
- Logging changes on public resources (like web servers, FTP servers)
The implementation of a FIM has also side effects. A classic issue is patching systems. By replacing system files, patches can generate a huge amount of false positives. From a system perspective, here is a non-exhaustive list of files/directories to monitoring on UNIX/Windows systems:
For UNIX systems:
/etc |
/boot |
/bin |
/sbin |
/usr/bin |
/usr/sbin |
/usr/local/etc |
/usr/local/bin |
/usr/local/sbin |
/usr/local/etc |
/opt |
/var/opt |
/lib |
/usr/lib |
/var/lib |
/usr/local/lib |
/lib64 |
Specific files can be monitored:
- Executables in /tmp ,/usr/local/tmp, /var/tmp
- Plain files in /dev
Others must be ignored (changing too often):
/etc/mtab |
/etc/hosts.deny |
/etc/mail/statistics |
/etc/random-seed |
/etc/adjtime |
For Windows systems:
%WINDIR%/win.ini |
%WINDIR%/system.ini
|
C:\autoexec.ba
|
C:\boot.ini |
%WINDIR%/System32 |
%WINDIR%/regedit.exe |
C:\Documents and Settings/All Users/Start Menu/Programs/Startup |
C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup |
On Windows, the registry contains many useful locations that can also be monitored by most FIM:
HKEY_LOCAL_MACHINE\Software\Classes\cmdfile |
HKEY_LOCAL_MACHINE\Software\Classes\comfile |
HKEY_LOCAL_MACHINE\Software\Classes\exefile |
HKEY_LOCAL_MACHINE\Software\Classes\piffile |
HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects |
HKEY_LOCAL_MACHINE\Software\Classes\Directory |
HKEY_LOCAL_MACHINE\Software\Classes\Folder |
HKEY_LOCAL_MACHINE\Software\Classes\Protocols |
HKEY_LOCAL_MACHINE\Software\Policies |
HKEY_LOCAL_MACHINE\Security |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components |
HKEY_LOCAL_MACHINE\Security\Policy\Secrets |
HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ |
The following one can be ignored (changing too often):
|
C:\WINDOWS/Debug |
C:\WINDOWS/WindowsUpdate.log |
C:\WINDOWS/iis6.log |
C:\WINDOWS/system32/wbem/Logs |
C:\WINDOWS/system32/wbem/Repository |
C:\WINDOWS/Prefetch |
C:\WINDOWS/PCHEALTH/HELPCTR/DataColl |
C:\WINDOWS/SoftwareDistribution |
C:\WINDOWS/Temp |
C:\WINDOWS/system32/config |
C:\WINDOWS/system32/spool |
C:\WINDOWS/system32/CatRoot |
And you? What are you monitoring? Please share your configurations and tips!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Join us at SANS!
Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Xavier Mertens in Amsterdam starting Aug 15 2022
×
Diary Archives