File Integrity Monitor (FIM) - CorreLog.com · that instrument a Windows Vista, XP, or 20XX operating system to continuously check the integrity of selected files. This permits the

CorreLog®

File Integrity Monitor (FIM) User Reference Manual

http://www.CorreLog.com mailto:[email protected]

CorreLog FIM, Page - 2

CorreLog FIM, User Reference Manual Copyright © 2008 - 2018, CorreLog, Inc. All rights reserved. No part of this manual shall be reproduced without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein.


Table of Contents Section 1: Introduction

………….. 5

Section 2: CorreLog FIM Installation

………….. 11

Section 3: CorreLog FIM Usage

………….. 17

Section 4: CO-Fmon Config File

………….. 23

Section 5: Remote Configuration

………….. 31

Appendix A: The CO-Fmon.cnf File

………….. 41

Appendix B: The Report_FIM.bat File …………...

43



Section 1: Introduction This document contains installation and application notes regarding the CorreLog File Integrity Monitor (CorreLog FIM) which is a compact set of software tools that instrument a Windows Vista, XP, or 20XX operating system to continuously check the integrity of selected files. This permits the CorreLog Security Correlation Server to effectively check whether files have changed anywhere on a managed Windows platform. The File Integrity Monitor executes as a separate process on each managed Windows platform. Periodically (by default each hour) this process scans all the files on the system as specified by its configuration file. If any file has been added, deleted, or modified, the file name is recorded, and a Syslog message is sent to the main CorreLog Server. At the CorreLog Server, the operator can create (or recreate) a file image, can inspect the list of changed files, and can set FIM parameters. The CorreLog FIM is very lightweight and easy to install. The program should be installed on each Windows platform of interest in an organization or enterprise. If you are unfamiliar with Syslog protocol as a management technique, refer to the CorreLog User Reference manual, which contains a comprehensive description of Syslog functionality. If you wish to get started immediately with the installation of the CorreLog FIM, see notes at the bottom of this current section.


CorreLog Windows Tool Set (FIM) Overview The CorreLog File Integrity Monitor (FIM) is a collection of executables and files that provide extra security at a managed Windows server. The File Integrity Monitor is installed in a fashion similar to the CorreLog Windows Agent and WTS, and operates as a standard Windows service. Periodically, the system scans all the files specified by a configuration file, and sends Syslog messages to the CorreLog Server when files are added, deleted, or modified on the system. At the CorreLog Server, the user can configure the schedule of execution for the process, can generate an Image File (containing a baseline listing of files), and can run on-demand checks of the file system. Additionally, the operator can inspect the list of managed files, and any changes detected during the last scan of files. The CorreLog FIM consists of the following parts.

• CorreLog File Monitor Agent. (FIM Agent.) This is a compact but powerful Windows service that is installed on each managed platform. The service periodically scans the file system to detect new, modified, or deleted files, and sends Syslog messages to the CorreLog Server when file changes are detected. The service executes on any 20XX server, as well as earlier Windows versions..

• CorreLog Server Web Interface. This screen is added to the CorreLog Server, and is accessed via the "Device Information" screen (by clicking on the hyperlink of an IP address anywhere within CorreLog.) The screen permits the user to view the list of managed files, and the status of the File Integrity Monitor's execution.

• CorreLog Remote Configuration Utility. This is a stand-alone program that permits the user to download and upload the configuration file of the CorreLog FIM service, so that batch configuration of these programs can be remotely performed.

The above programs are documented in this manual, including installation and configuration, along with extra application notes that describe how to perform advanced configuration of the system.

Program Features The CorreLog FIM is designed to support the enterprise requirements for security, with special regard to PCI/DSS (as well as other) security guidelines. The program is easy to install and use, and contains the following specific features and functions.


• Fast File Scans. The File Integrity Monitor is designed to monitor large numbers of files quickly and non-intrusively. The program will typically scan 10,000 files within one or two minutes, permitting hourly checks of file integrity.

• AbilityTo Monitor Files By Directory. The File Integrity Monitor is easy to configure, and allows the user to specify files by directory, including the ability to match and exclude files by directory name, file suffix, file prefix, or other keywords. This allows an operator to precisely target special files on the managed system.

• Ability To Perform File Checksums. The File Integrity Monitor checks the file creation time, modify time, and file size to determine whether a file has been modified on the system. As an additional feature, the user can enable the calculation of checksums on each file to check whether any single bit in the file has been changed.

• Ability To Tune CPU Usage. The File Integrity Monitor allows the user to throttle the amount of CPU used by the process, as well as schedule the execution hourly, or daily. This permits the system to operate non-intrusively.

• Remote Configuration Capabilities. The File Integrity Monitor allows the user to remotely access and adjust (with authentication) the program configuration data, permitting the user to make changes to the file integrity monitor while it is running. Additionally, the user can obtain real-time status from the File Integrity Monitor, to view the remote status and state of the program.

• Support for 64 Bit Platforms. The File Integrity Monitor supports both 32-bit and 64-bit platform architectures. On 64-bit systems, the File Integrity Monitor accesses the "%windir%\system32" folder via the standard ""%windir%\sysnative" folder found on Windows 2008 and newer operating systems.

The CorreLog FIM, Fast Start The remainder of this manual will deal with the various detailed aspects of the CorreLog File Integrity Monitor software in detail. For those users wishing a quick start, the following information will get the CorreLog FIM software up and running as quickly as possible on a Windows platform, permitting you to immediately begin using the program.


• The CorreLog FIM Software is included in the CorreLog Server distribution in the "CorreLog\s-doc" directory, with the name "fi-agent.exe". This is a signed and self-extracting zip file.

• At the managed platform, after downloading the appropriate FIM package, the operator executes the self-extracting WinZip file, and extracts files to the desired location, by default the C:\CorreLog directory of the platform.

• When the files are extracted, the FMON Agent installation dialog automatically starts. The user needs to provide only one argument to the installation dialog, which is the destination hostname or IP address of the Syslog server running on the network. (This will generally be the hostname or IP address of the platform running the CorreLog Server software.)

• When the dialog finishes, the CorreLog FMON Agent is installed and started. The user can check the Syslog file of the destination host to verify that a Syslog message was correctly sent and received. The platform does not need to be rebooted.

• The user can optionally configure each FMON Agent at the CorreLog Server by clicking on the IP address hyperlink of the device anywhere within CorreLog, and then clicking "File Integrity Monitor". (See Section 4.)

The entire installation steps, outlined above, will usually take about one minute or so to complete for each managed platform. An “Administrator” type login is required. If the installation fails (for example if the installer mistypes the destination hostname or IP address) the installation procedure can be run again without running the uninstall program.

Fast Start, Workflow Overview Once the CorreLog FMON Agent is installed, a simple workflow is used to maintain the integrity of files.

• At periodic intervals, messages are generated on the system indicating the status of files on a managed system. The operator sees these indications by looking for the summary status of file scans and / or individual messages indicating that files have been added, deleted, or changed. This may include generation of tickets and e-mail notifications when files are changed.

• When a file change indication is received, the user clicks down on the IP address of the remote device (appearing anywhere in CorreLog) and then clicks on the "File Integrity Monitor" hyperlink on the "Device Information"


screen. This displays the "File Integrity Monitor" screen (discussed in Section 5 of this manual.)

• On the "File Integrity Monitor" screen, the user inspects the list of change by clicking on the "View File Change List" hyperlink at the upper left of the screen.

• The operator resolves any differences in the file system by removing or installing files on the manage system.

• The operator creates a new Image File by clicking on the "Config" button of the File Integrity Monitor screen, and then clicking "Create New Image File". This causes a new image file to be generated that includes any changes accepted by the operator.

The above process is the typical workflow of the operator, used to resolve changes to files on the managed platform. Other workflows (such as automatically generating new Image Files for the target platform) are also available, and will depend upon the requirements of the organization. Future sections will describe in detail the various other features, adaptations, customizations, and applications associated with the CorreLog FIM system. The reader is encouraged to experiment with the system. In particular, almost all of the information required to understand the essentials of the CorreLog FIM system has now been explained. You can begin monitoring your system file integrity information right now!



Section 2: CorreLog FIM Installation The CorreLog FIM is usually delivered as a self-extracting WinZip file, and contains install and uninstall programs, residing in the “wintools” directory of the CorreLog root directory. The install program normally starts after files are extracted. To uninstall the system, the operator accesses the Windows “Add / Remove” programs application, and clicks on the “CorreLog Syslog Agent” entry. The 32-bit version can be executed on a 64-bit platform, and accesses the "system32" folder (normally accessible only to 64-bit applications) using the standard "sysnative" path, as documented by Microsoft in various locations. CorreLog FIM is specifically designed not to scatter DLL or other files into system directories. All files within the CorreLog directory reside in the CorreLog root directory, by default the directory C:\CorreLog (although this directory may be specified differently when extracting files.) CorreLog is uninstalled via the standard Windows “Add / Remove” programs screen (or "Program Features" screen on Vista platforms.). Additionally, if the user stops a CorreLog Syslog Message service, the entire CorreLog directory can be simply dragged and dropped into the Windows “Recycle Bin” and this will effectively discard the entire installation. (However, note that this will still leave the service entry for CorreLog, within the Windows Service Manager, which is normally cleaned up by the Uninstall procedure.)


CorreLog FIM System Installation Requirements The CorreLog FMON Agent programs are non-invasive, and can be installed on a variety of Windows platforms and operating systems. An “Administrator” login is required to install the software. Specific system requirements of the CorreLog Server are described below.

• Disk Space. The CorreLog FIM has a small disk footprint of less than 0.5

Mbytes. The program should generally NOT be installed on a network drive. If possible, the program should be consistently installed in its default location of C:\CorreLog, which may assist technical support personnel.

• CPU Requirements. The CorreLog FIM makes minimal use of CPU, and can co-exist with other server components and applications. The actual CPU requirements will typically be much less than 1%, even under heavy load.

• TCP Connectivity. The CorreLog FIM cannot be installed on a platform that does not have TCP connectivity. (This will typically not be a problem, but may occur in certain evaluation and test scenarios.) The program works with any normal network interface card.

• Service Ports. The CorreLog FMON Agent programs require access to the UDP 514 port of the configured destination host, which may require modifications to firewalls and port blockers. Additionally, FMON Agent programs will listen at TCP 55515 for optional remote configuration requests.

• Other Dependencies. The CorreLog FIM agent requires that the Windows Agent. The installer should first install the Windows agent before installing the CorreLog FIM agent. Failure to do this will result in an error message, prompting the user to first install the Windows agent, when the FIM software is installed.

Note: Configuration of the FMON Agent program is greatly simplified by permitting access to port 55515 on the managed platform from the CorreLog Server. This permits the "Remote Configuration" dialog of the CorreLog Server to access and configure the FMON Agent service, as explained in later sections. If possible, this port should be open between each FMON Agent and the CorreLog Server To insure proper installation of the program, the user should close all windows, and temporarily disable any port blocking or Virus Scan software on the system. Reboot, after installation, is not required.


Basic Installation Steps There are various ways to install the FMON Agent and CorreLog Server. The steps below provide one basic method of installing the software on various managed platforms. As part of the installation planning, users are encouraged to contact CorreLog support engineers for discussion and recommendations of alternative installation techniques: First, the user must install the software at the CorreLog Server, as described below. Once this software is installed, the operator then installs each FMON Agent package on the various managed platforms, using a technique similar to the Windows WTS installation, as described below:

1. Obtain the main File Integrity Monitor installation package. This package is provided in the "s-doc" directory of the CorreLog Server as a self-extracting WinZip archive. The "s-doc\fi-agent.exe" program is a 32-bit version of the program, appropriate for both X32 and X64 architectures. If executing on an X64 platform, the operating system MUST be Windows 2008 or higher.

2. Login to the CorreLog Server platform with Administrative permissions and

transfer the correct executable to a target platform, such as via a shared disk, or using the following URL at the target platform: http://server/s-doc/fi-agent.exe

The "s-doc" directory of the CorreLog Server can be accessed via the CorreLog HTTP server, and corresponds to the "/s-doc" URL. This allows you to download any file in the "s-doc" directory to a machine using a standard web browser.

3. After copying or downloading the appropriate CorreLog FMON Agent package, execute the self-extracting WinZip file, and extract files to the target directory, by default the C:\CorreLog directory.

4. When the self-extracting WinZip file completes, the automatic installation

procedure starts. The installation dialog for the program is depicted below. The user must view the license agreement and click the check box in order to proceed to the next screen.


5. Follow the prompts of the automatic installation procedure. A single value is required from the user, on the second screen of the dialog, which is the hostname or IP address of the machine running the Syslog server (normally the CorreLog Server.)

6. When the installation is complete, the CO-Fmon.exe program is installed

and running. On startup, this process sends a single Syslog message to the configured destination host. Check that host to verify a message was correctly sent and received.

The entire installation process will normally take only one minute or so. No other steps are needed to install and start the program.

Important Differences between X32 and X64 Operating Systems The FIM supports both a 32-bit and 64-bit Windows host architecture. The following notes apply:

1. The X32 version can run on either a 32-bit or 64-bit architecture. However, due to constraints of the Microsoft Windows operating system, the 32-bit


version will actually monitor the "SysWow64" directory rather than the "system32" directory, which may be confusing to users.

2. The "system32" directive is accessed via the "sysnative" path (which corresponds to the regular "system32" path for 64-bit applications.) This occurs transparently to the user, but may be important when testing or demonstrating FIM operation. So, if the user specifies "system32" in the configuration file, as a target directory for monitoring, this folder will be accessed via the "sysnative" folder.

The above factors may be confusing to users. Normally, a 32-bit application cannot access 64-bit executables or DLLs. As a further limitation, all 32-bit executables will automatically AND silently redirect programs to the "syswow64" directory whenever an attempt is made to access the "system32" directory. Therefore, although the X32 version of the program will appear to be operating in the "system32" directory, the program will actually be operating on the "syswow64" directory. NOTE: Although the X32 version will execute on X64 platforms, the X32 version will automatically and silently redirect file scans to the "sysnative" directory if the "system32" directory is specified to the agent. This is a very common source of confusion during test and demonstration of the software.

Re-installing the Software The user can re-install the server by running the CorreLog\wintools\CO-install.exe program again. (The user does not have to uninstall and re-install the program software from the WinZip file.) By executing the CO-install.exe program, the service is stopped, removed, re-installed, and reconfigured with the user specified destination host. The platform will generally not have to be rebooted during any installation. However, under certain rare circumstances, such as if the CO-Fmon.exe program has some conflict with third-party software, it may be necessary to re-initialize the entire platform by rebooting before performing a re-install.

Uninstalling the CorreLog FIM Agent The CorreLog FIM Agent is uninstalled via the “Add / Remove Programs” windows facility. The user navigates to this screen (via the Control Panel) and clicks on the “CorreLog Syslog Message Server” entry to execute the Uninstall program. The user follows the instructions of the dialog to uninstall the CorreLog Framework system.


Note that, unlike many uninstall programs, the CorreLog Framework files are left intact on the disk. After executing the uninstall procedure, the user must physically remove these files, such as by dragging the CorreLog root directory to the Microsoft Windows “Recycle Bin”. This extra step safeguards any accidental removal of data on the system. Note: Uninstalling the File Integrity Monitor software will also uninstall the CorreLog Syslog Message Service. If the user wishes to disable the FIM software but leave the Syslog Message Service running, the user should stop and disable the "CorreLog File Integrity Monitor" service on the platform, and leave the "CorreLog Syslog Message Service" operating as normal.


Section 3: CorreLog FIM Usage At many sites, the entire usage of the CorreLog File Integrity Monitor will consist of installing the program (as discussed in the previous section) and then rarely if ever visiting that installation again. The CorreLog FIM does not require program maintenance, and will not interfere with other system processes. The system configuration file (discussed in the next section of this manual) is ready-to-run and does not require any customization, other than the destination Syslog host supplied by the installation dialog. However, the FIM Agent programs have various capabilities available for general users, documented in this section. Specifically, the CO-Fmon.exe program has a comprehensive configuration file that allows tailoring of the directories and files that are periodically scanned. Additionally, the user can customize various parameters of the agent, can create a new "Image" file for the agent, and can run checks of the system "On Demand". This section provides detailed notes on the FIM tool command line options and application notes suitable for use by administrators and developers wishing to extend the Windows Syslog monitoring capabilities of their organization. The section will be of interest to other users wishing to assess the capabilities of the FIM tools, and Syslog protocol in general.


The CO-Fmon.exe Program The CO-Fmon.exe program, normally residing in the CorreLog\wintools directory, executes as a single persistent background process, and as a standard Windows service. The program can be seen in the Windows Service Manager, with the name “CorreLog File Integrity Monitor”. The program can be started and stopped from that location, or can be started and stopped via the “net” command, with the short name “CorreLog File”. The program is normally configured in the Windows Service Manager to start automatically when the host platform boots. Users can verify the program is running by finding the CO-Fmon.exe program name in the Windows Task Manager. The destination address for all messages is configured in the “CO-Fmon.cnf” file, which is in the same directory as the “CO-Fmon.exe” program. This file MUST exist in that location, and is read whenever the CO-Fmon.exe program starts. A detailed explanation of this configuration file, including all directives that can be included in the file, is provided in the next section of this manual. The CO-Fmon.exe program creates the CO-Fmon.log file in the same directory as the executable program and the configuration file. This log file can contain any errors, and can contain Syslog messages (if so configured). The file is overwritten each time the server starts, and typically has just a very few lines. This log file will not need any maintenance.

CO-fmon.img – Image File The FMON Agent maintains a baseline of file names and identifiers, generated from the "CO-fmon.cnf" file specification, which is used to detect changes on the system. This "Image File" resides in the "CO-fmon.img" file, in the same directory as the "CO-fmon.exe" and "CO-fmon.cnf" files. The "CO-fmon.img" file is generated on startup and on demand, as well as at other times, described below.

• On Startup. When the CO-fmon.exe program is first installed and executed, a new Image File is automatically created containing all the files specified in the "CO-fmon.cnf" file. This action occurs only once, and is deferred if any "CO-fmon.img" file already exists on the system.

• Manually, On Demand. An Image File is generated whenever the user clicks the "Config > Create New Image File" button on the CorreLog Server File Integrity Monitor screen. This permits the user to accept certain changes on the system (such as after a file update for the system, or after installing new software).


• On Configuration Change. If the user uploads a new configuration file to the FMON Agent, a new Image File is automatically generated. (This is necessary to keep the Image File in agreement with the files listed during periodic checks of the system.)

• Auto-Generation. If the user selects the "Auto Generate Image File" option to be "True" on the "Config" screen of the CorreLog Server File Integrity Monitor screen, then a new Image File is generated each time a check is made on the system, after any Syslog messages are sent. In this mode of operation, a Syslog message is sent only once, when a change is first detected.

During normal operation, the system will detect changes to managed files, and send a Syslog message for each file change. This condition will persist until either the list of files is restored to its original state (by adding, deleting, or installing the original file) or until a new Image File is created on the system.

CO-fmon.stt – Status Change File At periodic intervals, or on demand, the FMON Agent scans the system files specified in the "CO-fmon.cnf" configuration file, and compares this new list to the Image File described above. The FMON Agent will send a Syslog message for each change detected, either file additions, deletions, or changes. The FMON Agent will report a maximum of 50 file changes, and will report a summary message indicating the total number of changes. The list of changes is contained in the "CO-fmon.stt" file, residing in the same directory as the "CO-fmon.img", "CO-fmon.cnf", and "CO-fmon.exe" files. The status file can be viewed from the CorreLog Server File Integrity Monitor screen, and is generated as described below.

• On Startup. When the system first starts, if a "CO-fmon.img" file exists on the system (possibly created earlier, as described above) a new Status Change File will be generated. This will report any files that were added immediately prior to the system shutting down, useful for detecting new software installations and reboots.

• At Scheduled Intervals. The Status Change File is executed at intervals specified by the "Config" screen of the CorreLog File Integrity Monitor screen, either "hourly", "daily", "weekly" or "monthly".

• On Demand. The Status Change File is generated whenever the user clicks the "Config > Run File Integrity Check Now" button on the CorreLog Server File Integrity Monitor screen. This permits the user to immediately


test for certain changes on the system (such as after a file update for the system, or after installing new software.)

Normally, the system automatically scans for changes, issuing Syslog messages at periodic intervals, with no manual intervention required. The user can run a check on demand, useful for testing the operation of the File Integrity Monitor and the current configuration file.

CO-Fmon.exe Command Line Arguments The CO-Fmon.exe program contains various command line options that allow the program to execute at a command prompt. While these command line options are never required, it may facilitate certain user operations, especially in batch files. The various options of the program are as follows: CO-Fmon –install

The –install option causes the program to be installed as the “CorreLog File Integrity Monitor" service in the Windows Service Manager. If the service is already installed, no action occurs. This is normally executed by the CO-install.exe program, but can be executed manually to re-install the service.

CO-Fmon –remove

The –remove option removes the program from the Windows Service Manager, first stopping the service (as needed.) This is normally executed by the CO-uinstall.exe program, but can be executed manually to uninstall the service.

CO-Fmon –start

The –start option starts the “CorreLog File Integrity Monitor” service, identical to starting the service via the Windows Service Manager, or executing the “net start “CorreLog File” command. If the service is already started, this option has no affect.

CO-Fmon –stop

The –stop option stops the “CorreLog File Integrity Monitor" service, identical to ending the service via the Windows Service Manager, or executing the “net stop “CorreLog File” command. If the service is already stopped, this option has no affect.

CO-Fmon -mode auto | manual | disable

The –mode option must be followed by the keyword “auto”, “manual”, or “disable”, and modifies the “CorreLog File Integrity Monitor” service startup mode, identical to making this modification via the Windows Service Manager.


CO-Fmon –permit The –permit option tests the permissions of the user to access the Windows Service Manager. The program displays the status of the permissions, either “available” or not.

CO-Fmon –foreground

The –foreground option executes the CO-fmon.exe program as a foreground process, without the service manager. In addition to sending Syslog messages to the receiver, the program displays any internal error messages or warnings, and additionally displays message to standard output.

CO-Fmon –generate

The –generate option is provided mainly for extensibility or system-level debug, and causes the "CO-fmon.img" file to be generated on the system, listing all the files specified in the "CO-fmon.cnf" file. This allows the user to manually generate a new Image File, which serves as the baseline for detecting changes on the system. (See section on the "CO-fmon.img" Image File, above.)

CO-Fmon –diff

The –diff option is provided mainly for extensibility or system-level debug, and causes the "CO-fmon.stt" file to be generated on the system, listing all the file changes. The option generates a new listing, compares the listing to the "CO-fmon.img" file, and generates Syslog messages for each change. This allows the user to manually generate a new difference list on the system.

CO-Fmon –help

The –help option displays brief help on the above options. Note that the CO-Fmon.exe program MUST be executed with at least one command line argument. One of the above command line arguments is required for interactive usage. If the program is executed with no arguments, the program will either hang, or will exit with no message. (This is the mode of operation used by the Windows Service Manager.)

The Rfmconf.exe Utility The CorreLog FIM includes a utility that permits remote configuration changes of the CO-Fmon.exe program. This utility is found in the "system\rfmconf.exe" file location of the main CorreLog Server. The utility permits an administrator (with authentication and security) to remotely change the configuration of the CO-sysmg.exe program, assisting in the configuration and maintenance of the program.


The configuration of the CorreLog FIM is discussed in detail within the sections that follow. Although it may not be necessary to ever change the default settings of the CO-Fmon.exe program, it may also be the case that match patterns, log file monitors, and other parameters will need to be maintained, especially during the initial setup and configuration of the system. The Rfmconf.exe program permits the user to download and upload the configuration file from a CO-Fmon.exe program. When uploading changes, the new configuration immediately takes affect within the CO-Fmon.exe program without requiring a restart of the service. Extensive checks and security features are incorporated into the system as detailed within later sections of this manual. Note that the Rfmconf.exe program is agreeable to use within batch files, so that an administrator can easily apply large numbers of changes to an enterprise. Also note that the CorreLog Server itself can effect these changes via the web interface. These remote configuration features are discussed in more detail within a separate section of this manual.

Section Summary And Additional Notes

1. The “CorreLog File Integrity Monitor Agent” monitors file changes, either file additions, file deletions, or file changes.

2. The destination host address is configured in the CO-Fmon.cnf file, which

is in the same location as the CO-Fmon.exe program, by default the directory “C:\CorreLog\wintools”.

3. The CO-Fmon.cnf file MUST exist in the above directory, and specifies a

variety of parameters and configuration items detailed in the next section.

4. The CO-Fmon.exe program supports a variety of command line options, including a “-foreground” option, for running the program in foreground, and for checking the configuration file after edits.


Section 4: CO-Fmon Config File The CO-Fmon.cnf file contains all the parameters and specifications related to the program’s operation. This file is found in the same directory as the CO-Fmon.exe program, by default the “C:\CorreLog\wintools\CO-Fmon.cnf” file. An example of this file is found in Appendix A of this document. There is no required editing of this file. The installation dialog creates a version of this file that will be adequate for many (and perhaps most) situations. However, if a user wishes to fine tune the parameters of the Syslog messages, or wishes to monitor streaming log files in addition to the Windows Event logs, or needs to change the location of the CorreLog Syslog destination, the file can be edited with a standard text editor, as explained here, or modified via the remote configuration functions as detailed in later sections of this manual. If the configuration file changes via a manual edit, the user must stop the CO-Fmon.exe service and restart the service. Any errors detected while reading the configuration file are logged to the CO-Fmon.log file, in the same directory as the CO-Fmon.exe program and CO-Fmon.cnf file. If the configuration file is changed via a remote configuration operation, no restart of the CO-Fmon.exe program is required. Detailed notes on this file, possibly of interest to administrators or developers, are provided in this section. Note that the information herein is not necessarily required to install and use the CO-Fmon.exe program, but is provided only to support more advanced applications and requirements.


Configuration Items In addition to specifying the destination address and port number, the configuration file contains a number of other settings that can be used to specify log files (in addition to the Win32 Event Log files), as well as match patterns that set the facility and severities of the various Syslog messages. The file contains the following sections.

• Destination Address And Port Number. The top of the file contains the destination and port number for Syslog messages.

• Remote Configuration Parameters. The next section of the file contains information regarding the remote configuration capability of the program, including the type of authentication and optional passkey required to permit remote configuration.

• Required Parameters. Following the above fields, the user can specify ancillary parameters, such as the severity of messages, and other values.

• Directory Specifications. Following the “Required Parameters” section are multiple entries that list all the files and facilities to be monitored. The user can configure multiple directories, and each directory can contain multiple match patterns and exclude patterns.

Each of the above items is explained in more detail within the pages that follow. Refer to the end of this section for a printout of the default CO-Fmon.cnf file.

Destination Address And Port Number Directives The CO-Fmon.exe program requires two directives, which must be configured in the CO-Fmon.cnf file. The initial configuration of these two directives is performed by the installation procedure, however the user can modify the values after installation to change the destination of Syslog messages. DestinationAddress

This directive should be followed by a an IP address, which corresponds to the location of the CorreLog Syslog receiver (typically the IP address of the CorreLog web server.) If this value is invalid, the CO-Fmon program will not send Syslog messages.

Destination Port

This directive should be an integer number of 514, which is the standard UDP port number used by Syslog. Generally, this value is provided mainly for reference and cannot be easily changed.


These directives are required at the very top of the file, and cannot be moved to some other section of the file. If there are multiple entries, the last entry recorded in the file for these parameters is used, and the other directives are ignored.

Remote Configuration Parameters The CO-Fmon.exe program supports remote configuration directives by the main CorreLog Server, or by the "rfmconf.exe" remote configuration utility. Following the Destination Address and Destination Port directives are a series of optional parameters to support this function. The following three directives are optional. ListenAuthMode

This directive specifies the authentication mode used when processing remote requests. The directive is followed by an integer number between 0 and 3 as follows: 0=No authentication; 1=Authentication by source address; 2=Authentication by passkey; 3=Authentication by both source address and passkey. The default value is 3.

ListenPassKey

This directive is the passkey used with remote configuration when the ListenAuthMode is 2 or 3. The value serves as a simple password. (The corresponding password in the CorreLog Server is found in the System > Parameters tab of the web interface.)

ListenPort

This directive should be the integer number of 55515, which is the TCP port at which the CO-Fmon.exe program listens for remote requests. Generally, this value is provided mainly for reference and cannot be easily changed.

If these three directives are commented out or removed from the configuration file, then remote configuration is disabled and only manual configuration of the CO-Fmon.exe program is permitted.

Required Parameters Section Following the Remote Configuration directives are a series of required parameters as follows: Schedule

This is the time at which periodic checks are scheduled: if "hourly", then a check is performed at the start of each hour; if "daily", then a check is performed each day at midnight; if "weekly" then a check is performed on Monday morning at midnight; if "monthly" then a check is performed at


midnight at the start of each month. No other settings are valid. (See the related value below.)

SchedDelaySecs This is an integer value that can be used to postpone the scheduled execution of the program by some number of seconds, to permit staggered execution of the program on the network. If the value is greater than the interval selected as the "Schedule", then the value has no effect on the execution.

ChangeSeverity This is the severity of messages sent when a file change is detected. The default value is "warning", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a file is changed.

AddSeverity

This is the severity of messages sent when a new file is detected. The default value is "notice", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a new file is detected.

DeleteSeverity This is the severity of messages sent when a file deletion is detected. The default value is "notice", but any valid severity can be specified, including the special "disabled" severity, which disables any notification if a file is deleted.

AutoGenImage This setting is either "True" or "False". The default value is "True", which means that the "Image File" is regenerated after each check of the system, and only new changes are reported. Setting this value to "False" will cause change messages to be sent until the change is undone, or a new image file is generated manually. If this setting is "True", then the Image File" is replaced with the latest list of files each time that a check is performed (which means that each change is reported once, instead of continuously until a new Image File is created.)

UseChecksum

This setting is either "True" or "False". The default value is "False", which means that changes are detected to files based upon the file creation date, modification date, and / or file size. When set to "True", file checksums are also generated and compared to detect changes. This value can degrade the speed of checks and increase CPU usage, but provides the most reliable way to detect changes to files.


PollDelayMsec This setting is a numeric value in the range of 1 to 100, which indicates the number of milliseconds to pause after testing each file on the system. The value can be used to reduce the CPU time consumed by the file checks. The default value is 10 milliseconds, which is adequate for most systems. Increasing this value too high will reduce CPU time, but increase the time to perform file checks.

Directory Specifications Following the required parameters section are the directory specifications, which indicate which directories and files are to be monitored. Up to 50 different directories can be specified. By default, the system monitors the "/correlog" and "%SystemRoot%/system32" directories. Each directory on the system is identified along with a series of optional match and exclude patterns, which limit the range of files to be scanned. When a directory is specified, all sub-directories to that directory are also scanned unless the directory names are specifically excluded. The following directives are supported. Directory

This directive is followed by the name of a Windows directory, with forward (UNIX style) slashes to delimit subdirectories. Any valid directory can be specified, including the entire disk (such as "C:/" or "D:/"). The pathname can include an environmental variable. All files in the directory, as well as all files in all subdirectories (unless specifically excluded) are scanned.

MatchExt

This directive must be preceded by the "Directory" directive, and specifies a file extension that must be matched before the file is monitored. By default, the File Monitor includes a number of match extensions such as ".exe", and ".dll", and ".bat". This directive permits the user to specify additional file extensions. (See the "MatchExt" section below.)

ExclExt

This directive must be preceded by the "Directory" directive. The value specifies a file extension that excludes a filename from monitoring. This furnishes a way of excluding a default pathname. (See the "MatchExt" section below.)

MatchPatt This directive is similar to the "MatchExt" directive, except specifies a pattern that must be matched in the pathname before the file is monitored. For example, the value "/private/" will match all files in the path


"test/private/data". The user can include an arbitrary number of match patterns following each "Directory" directive.

ExclPatt

This directive is similar to the "ExclExt" directive. The value specifies a pattern that excludes a directory filename from monitoring. For example, the "/temp/" pattern will defer monitoring any file or pathname that contains the "/temp/" keyword. The user can include an arbitrary number of exclude patterns following each "Directory" directive. The "ExclPatt" can include file suffixes, such as "*.log", but more typically includes subdirectory names that are excluded from the monitor.

RecursionDepth This optional directive must be preceded by the "Directory" directive, and indicates the maximum number of subdirectories to descend into. If the directory is omitted, the file integrity monitor will descend a maximum of 50 directories deep before stopping. The value is useful for situations such as scanning the C:\ root directory for changes without penetrating deeper into the system (in which case the RecursionDepth is zero.)

MonitorMode

This optional directive must be preceded by the "Directory" directive. If this directive is included, it modifies the way that file integrity is checked for the related files, overriding any other settings as follows: a value of 1 indicates only the file name is checked; a value of 2 indicates the filename and modify times are checked; a value of 3 indicates that the file name, modify times, and checksum values are checked. The directive can be used to modify the way files are checked. One use for this directive is to permit easy monitoring of the Windows "prefetch" directory files.

Modifying the Configuration File The configuration directives are read during startup, and are re-read only if the user uploads a new configuration file to the system, such as via the CorreLog Server File Integrity Monitor screen. When a configuration file is uploaded, this automatically causes a new Image File to be generated based upon the changes to the file. Normally, the configuration file is modified only at the CorreLog Server, using the "File Integrity Monitor" configuration screen. This means that port 55515 must be open to the agent. Note that if the configuration file is directly modified on the managed system (such as with a text editor like "notepad") the changes are not read until the next time that the FMON Agent restarts, and no image file is generated. Therefore, the next time that the system starts, the FMON Agent will likely report a large


number of file additions, deletions, or modifications. In this case, the user should regenerate the image file manually, such as via the "CO-fmon.exe –generate" function (described in a previous section.)

MatchExt and MatchPatt Directives When scanning files and folders, the "MatchExt" and "MatchPatt" directive limits the files that are scanned and checked. The user can specify an extension (with or without a leading "*" or "." character) using "MatchExt", which limits monitoring to a particular file type. The user can specify any part of a pathname with the "MatchPatt" directive, to match entire pathnames. In addition to the values listed in the "MatchExt" directive, the file integrity monitor also scans and checks for any "*.exe", "*.dll", or other executable file extension (including more arcane extensions such as "*.pif", "*.msi", "*.msp", "*.com", "*.scr", "*.hta", "*.cpl", "*.msc", "*.vb", "*.vbs", "*.ps1", etc.) These default patterns can be listed with a MatchPatt, but are generally not necessary. Any default file extension that is not of interest can be excluded using an "ExclPatt" directive for the target file directory. A complete list of these extensions is available on request from CorreLog.


1. The CorreLog File Integrity Monitor configuration file resides in the same directory as the CO-Fmon.exe executable, and is the CO-Fmon.cnf file. By default, this file is located in the C:\CorreLog\wintools directory.

2. This file is read on Service Startup, and contains the name of the

destination host, as well as other directives.

3. The file does not need to be modified, and comes ready-to-run. However, a user can tailor the file with directory names, match specifications, exclude specifications, and other parameters.

4. If the configuration file is manually modified directly on the system, the file

is read only on service startup, which means the next time the agent starts there will be a large number of changes reported to CorreLog. The user should manually regenerate the Image File via the "CO-fmon.exe –generate" function.

5. The user specifies a directory folder, and the system recursively descends into all subdirectories, checking all files that match the "MatchPatt" and do not match the "ExclPatt".


6. The optional "RecursionDepth" can be used to limit the depth of the scan for a directory folder. If omitted, up to 50 levels of directories re scanned. To scan just the specified directory, specify a "RecursionDepth" of zero.

The best way to learn about the configuration items is to experiment with the file, adding directives, and then possibly running the CO-Fmon.exe program in foreground (using the “-foreground” option.) With this technique, a user can quickly target specific messages on the system.|


Section 5: Remote Configuration The behavior and operation of the CO-Fmon.exe program is completely driven by its single configuration file, residing in the same directory as the program with a ".cnf" suffix. This configuration file does not necessarily have to be modified or adapted for the enterprise. However, depending on the organizational requirements, it may be necessary to make changes to this file in order to receive particular messages of interest. The user can manually edit this file, and restart the CO-Fmon.exe program (via the Windows "CorreLog File Integrity Monitor", service entry of the service manager.) This requires administrative access to the Windows platform that is hosting the CO-Fmon.exe program, and is the most secure way of implementing this service. As a special facility, configuration files can also be remotely downloaded and uploaded to effect changes in an automated way. This requires various permissions and adaptations described in this section. Specifically, remote configuration capability is limited by the value of the "ListenAuthMode" directive within CO-Fmon.cnf file, which controls and limits remote request via the source address of the client, or via passkey, or both. The default "ListenAuthMode" setting is 3, which requires both a valid passkey, and also the client to be at the same IP address as the destination address. Remote configuration capabilities of the CO-Fmon.exe program permit a high degree of flexibility, security, and maintainability of this program. This section will be of interest to system installers, administrators, and operations personnel.


Authentication Of Remote Configuration Requests The CO-Fmon.exe program listens for remote configuration requests at TCP port 55515. This port number is included in the configuration file for the program, but cannot be easily changed. If this port is busy when the CO-Fmon.exe program starts, or if the "ListenPort" directive is commented out of the file, then no remote configuration is possible and this particular capability of the CO-Fmon.exe program is disabled. Three different modes of operation are possible, as determined by the "ListenAuthMode" setting of the configuration file:

• Auth Mode 0. Setting the ListenAuthMode to a value of "0" disables authentication of requests. This value should probably never be used except in those very special circumstances where the CO-Fmon.exe program is executing on a detached network where security is not a concern.

• Auth Mode 1. Setting the ListenAuthMode to a value of "1" causes authentication of remote configuration requests based upon the IP address of the requesting platform. If this auth mode is used, then any remote configuration request to the CO-Fmon.exe program that originates on a platform other than the localhost "127.0.0.1" address, or the value of the DestinationAddress directive, is rejected. The requesting program must be at the location that receives the Syslog messages, or on the localhost.

• Auth Mode 2. Setting the ListenAuthMode to a value of "2" causes authentication of remote configuration requests solely based upon the configured passkey. The value of the "ListenPassKey" value must agree precisely with the value passed to the "rfmconf.exe" program (discussed below) or the value configured at the CorreLog Server platform on the "System > Parms" screen. Initially, both of these passkey values are set to the keystring "Default", so no special configuration is required out-of-box.

• Auth Mode 3. Setting the ListenAuthMode to a value of "3" causes authentication of remote configuration requests to occur based both on the passkey (used in Auth Mode 2) and the source IP address (used in Auth Mode 1). This is the most secure way of managing the remote configuration process, and is the default out-of-box setting for the CO-Fmon.exe program.

The values of "DestinationAddress", "DestinationPort", "ListenAuthMode", "ListenPassKey" and "ListenPort" cannot be change by the remote configuration process. Each of these values can be changed only by manually editing the CO-Fmon.exe configuration file. Attempts to modify any of these values are silently


bypassed. This enhances security by ensuring that these values can be changed only by remotely logging into the host platform with an administrative login, editing the configuration file manually, and then restarting the CO-Fmon.exe program.

PassKey Configuration In some circumstances, the best (or only) type of authentication available will be with Auth Mode 2, which is "passkey" authentication. In particular, using a passkey as the sole authentication will be necessary on networks that are using NAT (Network Address Translation) or if the CorreLog Server is multi-homed, or if tunneling software is being used. In these cases, the destination address for Syslog messages may not be the same as the location of remote configuration requests, making the use of Auth Mode 1 or Auth Mode 3 difficult or impossible. The passkey is simply a text string of 40 characters or less. The value is case-sensitive, but can contain any printable characters, including spaces. The value is passed as an argument to the "rfmconf.exe" program (discussed below) and also is configured in the CorreLog Server via the "System > Parms" tab. Because this value is "well-known", it is important to change this value across the enterprise when relying solely on passkey authentication. In general, for extra security, the "passkey" should be used to supplement the source IP address authentication. There is no "downside" to using passkey authentication other than making firewall issues slightly more complex to troubleshoot. The passkey is not transmitted across the network in clear text. The value is encrypted, hence is secure from attack by network sniffers. However, the value is in clear text within the CO-Fmon.cnf file, hence this file should be protected from unauthorized access (such as by limiting access to the host machine.)

Remote Configuration Via The CorreLog Web Interface The CorreLog web interface includes special screens to permit users to view the File Integrity Monitor status and configuration, and apply changes to the remote FMON Agent program. The user accesses this screen by first clicking on an IP address hyperlink anywhere within CorreLog, and then clicking the "File Integrity Monitor" In particular, this screen is always two clicks away from any IP address reference on the system. By default, this screen is automatically enabled for any device that is running the standard Windows Agent program. (The screen is similar to the Windows Agent remote configuration screen, but is entirely separate from the Windows Agent screen, and does not interact or affect settings of the Windows Agent program.)


The File Integrity Monitor Remote Configuration Editor screen is depicted below.

Note: To access the above screen, the user may first need to enable remote configuration of the File Integrity Monitor by accessing the "Device Information" screen for the host device. This is accomplished by clicking on the target device hyperlink (found in various locations within CorreLog, in particular in the "Messages > Device" tab.) On the "Device Information" screen, the user can click the "Edit Device Info" hyperlink, and set the values of "Enable Remote Config Editor" and "Enable File Integrity Monitor" to both be "Yes". Both settings are required to access the remote configuration editor depicted above. The top-level screen contains controls that permit viewing of the "Image" file, the list of last changes, as well as direct editing of the configuration file. The screen also provides a "Config" button that allows the user to edit the configuration parameters (discussed later in this section.)


"Current Status" Indicator The "Remote Configuration Editor" screen includes a "Current Status" field at the upper right of the screen, which indicates the current status of the FIM program, either "Ready", or "Busy". This indicates whether the remote agent is busy scanning the remote file system. The indicator operates as follows:

• Ready. In a "Ready" state, the user can view file lists via the hyperlinks, and can modify parameters. Additionally, the user can create new image file or can run the check function.

• Busy. In a "Busy" state, the user cannot view file lists via the hyperlinks and cannot modify parameters, generate a new image file, or run the check function. When "Busy", the "Total File Count" will increment showing the progress of the remote file scan operation.

The amount of time spent in the "Busy" state is affected by the number of files being scanned, the schedule of files, and the "PollDelayMsec" setting (accessed via the "Config" button.) On most systems, the "Busy" state will last about one or two minutes each cycle. However, if the number of files being monitored is large, and the "PollDelayMsec" is set too high, the "Busy" state may persist for fifteen minutes or more. In this case, the user should consider reducing the number of files or the "PollDelayMsec" value, or should schedule the system to run once a day (as opposed to hourly.)

Remote Configuration Parameters The user can click on the "Config" button of the top-level "File Integrity Monitor" screen to view and modify the various parameters of the remote agent. This screen allows the user to modify the execution schedule, severities of messages, and other parameters. The user can modify these parameters while the FMON Agent is running. Clicking the "Commit" button automatically commits changes to the remote FMON Agent and causes a new "Image File" to be created. As an alternative, the user can also directly edit the configuration file via the "Edit Remote Config" hyperlink on the top-level File Integrity Monitor screen show previously. This permits the user to modify the basic parameters (discussed here) as well as any of the monitored directories, file match patterns, and file exclude patterns. The Remote Configuration Parameters screen is depicted below.


Note: The user can access the basic parameters of the FMON Agent via the "Config" button, but cannot modify any of the directory specifications, file match patterns, or file exclude patterns. Modification of the directory specifications (as well as all other parameters here) is accomplished only by clicking the "Directly Edit Remote Configuration File" hyperlink.

• Run File Integrity Check Now. This button causes a file integrity check to be immediately run by the agent. This is useful if the operator wishes to immediately see if any files have been added to the system (rather than waiting for the scheduled execution.

• Create New File Image. This button causes a new image file to be immediately generated. All changes are reset, and future disk scans will compare the list of files to the new image file.

• Schedule Checks. This setting controls when file scans occur, corresponding to the "Schedule" directive in the configuration file. The user can set the value to be "hourly", "daily", "weekly", "monthly", or "disabled". The "disabled" setting disables all file checks.


• Schedule Delay (Secs). This setting permits a delay (in seconds) to be added to the "Scheduled Checks", corresponding to the "SchedDelaySecs" directive in the configuration file. The value can be used to load balance messages sent by various agent programs.

• File Added Severity. This setting controls the severity of messages when new files are added, corresponding to the "AddSeverity" directive in the configuration file. The user can set the value to be any severity, or can set the value to "disabled" to disable any reporting when files are added to the system.

• File Deleted Severity. This setting controls the severity of messages when files are deleted, corresponding to the "DeleteSeverity" directive in the configuration file. The user can set the value to be any severity, or can set the value to "disabled" to disable any reporting when files are deleted from the system.

• File Changed Severity. This setting controls the severity of messages when file changes are detected, corresponding to the "ChangeSeverity" directive in the configuration file. The user can set the value to be any severity, or can set the value to "disabled" to disable any reporting when files are changed.

• Use Checksum. This setting controls whether checksums are generated for each file, corresponding to the "UseChecksum" directive in the configuration file. Normally, file changes are detected by looking at the creation time, modify time, and file sizes. Setting this value to "True" performs an additional check by looking at a complex checksum of the file, useful for testing whether any single bit in the file has changed. This can increase CPU usage of the file monitor, and is disabled by default.

• Auto Generate Image File. This setting controls whether the Image File is automatically replaced after each scan, corresponding to the "AutoGenImage" directive in the configuration file. By default, the Image File is updated only on demand. Setting this value to "True" will cause only a single alert to be generated when a file is added, modified, or deleted from the system. Setting this value to "False" will calls an alert to be generated each time a check is run, until the image is manually updated by the operator.

• Poll Delay (Msec). This setting throttles the CPU time used by the FMON Agent. The value corresponds to the "PollDelayMsec" directive in the configuration file. The default value of 10 indicates the FMON Agent waits 10 milliseconds after polling each file. The number of files, multiplied by this value, indicates the minimum time necessary to run a complete scan of the system. For example, if there are 10,000 monitored files, and the


PollDelayMsec value is 100 milliseconds, a scan will take at least 1000 seconds to complete. This may indicate that the "Current State" indicator may read "Busy" for at least 20 minutes each time a disk scan occurs.

Remote Configuration Via The Rfmconf.exe Utility An alternative to remotely configuring the CO-Fmon.exe program via the CorreLog web interface is to use the "rfmconf.exe" program, which is included in the "system" folder of the main CorreLog Server. This utility permits the user to perform remote configuration at a command line, possibly within a batch file. The "rfmconf.exe" program accepts the following command line arguments: rfmconf -download ipaddr filename

These command options download the remote configuration file from the specified IP address. The resulting configuration data is placed in the specified filename.

rfmconf -upload ipaddr filename

These command options upload the remote configuration file to the specified IP address. The data residing in the specified filename is uploaded.

rfmconf -generate ipaddr

These command options cause the system to immediately generate a new Image File, based upon the current configuration file. The program returns within one second with an "OK" indication or a "Busy" indication. If "Busy", then the FMON Agent is busy generating a new listing and the request is deferred.

rfmconf -diff ipaddr

These command options cause the system to immediately generate a new Status Change File, based upon the current configuration file, including the sending of any Syslog messages to the CorreLog Server. The program returns within one second with an "OK" indication or a "Busy" indication. If "Busy", then the FMON Agent is busy generating a new listing and the request is deferred.

rfmconf -getimg ipaddr

These command options cause the system to return with the image list, to standard output. This allows the remote user to inspect the contents of the FMON Agent Image File.


rfmconf -getdiff ipaddr These command options cause the system to return with the change list, to standard output. This allows the remote user to inspect the results of the last comparison on the system, and determine which files have been added, removed, or changed.

rfmconf -status ipaddr

These command options cause the system to return with the current status of the FMON Agent, to standard output. These values are similar to the values depicted on the File Integrity Monitor screen, discussed previously.

Note that, if the ListenAuthMode of the CO-Fmon.exe process is set to a value of 1 or 3, the rfmconf.exe program can only be executed on the platform specified by the DestinationAddress. If the ListenAuthMode is set to 2 or 3, then the passkey must be correctly specified, otherwise it is ignored. The "rfmconf.exe" program is especially useful in performing batch configure operations, where the command is repeated multiple times within a Windows ".bat" file, needed to effect reconfiguration on many different platforms.

Other Security Features Any attempt made to access the CO-Fmon.exe program without proper authenticated credentials causes the CO-Fmon.exe program to transmit a Syslog message to the destination address. The occurrence is also logged in the program error log (which resides in the same location as the executable, with a ".log" suffix.) The resulting Syslog message indicates the time of the error, and the client IP address. This can be used to monitor unauthorized access. Additionally, successful remote reconfiguration is also logged, providing an audit trail of changes to the remote configuration data. These messages cannot be disabled.


1. The remote configuration capability of the CO-Fmon.exe program increases program maintainability by permitting administrators to access, modify, and upload configuration changes.

2. The CO-Fmon.exe program authentications remote configuration requests

by IP address, passkey or both. These values cannot be changed by the remote configuration process, but must be manually set in the configuration file.


3. The user can perform the remote configuration via the CorreLog web interface by first enabling remote configuration on the "Device Information" screen.

4. The user can execute remote configuration via the "rfmconf.exe program,

which is a command line utility program that can download, upload, and check remote configuration data.


Appendix A: The CO-Fmon.cnf File This appendix provides an example of the CO-Fmon.cnf file, which is the central configuration file used by the CorreLog File Integrity Monitor service. An administrator or system developer can edit this file to specify the directories and parameters used by the File Integrity Monitor. The CO-Fmon.cnf file is documented in detail within Section 4 of this manual. As stated in that section, the configuration file does not necessarily EVER have to be modified by a user. The default configuration, created by the installation utility, is adequate for many (perhaps most) environments. However, if the user wishes to create a highly customized installation, targeting specific types of event log messages, that capability readily exists through the directives in the file. This file resides in the same directory as the CO-Fmon.exe. The file provided here is the default configuration that comes with the system.


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# FMON - CorreLog File integrity Monitor, Configuration File.

# The following two items are the only items actually required.

# They are configured manually, or by the installation procedure,

# and are not affected by remote configuration operations.

DestinationAddress 192.168.1.100

DestinationPort 514

# The "ListenAuthMode" can take values as follows:

# 0=No Auth, 1=Source Address, 2=PassKey, 3=Address and Key.

ListenAuthMode 3

ListenPassKey Default

ListenPort 55515

# General Parameters

Schedule hourly

SchedDelaySecs 0

ChangeSeverity warning

AddSeverity notice

DeleteSeverity notice

AutoGenImage True

UseChecksum False

PollDelayMsec 1

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Directory Monitor parameters.

Directory %SystemRoot%/system32

MatchPatt *.exe

MatchPatt *.dll

MatchPatt *.bat

MatchPatt *.cmd

MatchPatt *.ini

ExclPatt temp

ExclPatt cache

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Directory /correlog

MatchPatt *.exe

MatchPatt *.dll

MatchPatt *.bat

MatchPatt *.cmd

MatchPatt *.ini

ExclPatt temp

ExclPatt cache

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Up to 50 directories may be added.

# END OF FILE


Appendix B: The Report_FIM.bat File This appendix provides an example of how to use the "REPORT_FIM.bat" file, which is a special utility included with CorreLog that can e-mail a user the list of file changes when the File Integrity Monitor detects errors. This batch file operates as a "Correlation > Action" program, and can be configured at any site when one or more File Monitor programs are installed on the network. When the REPORT_FIM.bat file is configured, a user receives an e-mail message if the File Integrity Monitor detects any changes, and this e-mail message includes the list of file changes. This function exists in addition to any e-mail related to tickets, and is a simple application that provides utility to the File Integrity Monitor described here.

Operational Overview The REPORT_FIM.bat file is included in the "CorreLog/actions" folder of the system as a standard component. This file is configured by an operator via the "Correlation > Actions" screen. (Note that this screen configures programs that are executed when selected messages are received, which is an operation that is similar to but distinct from the "Ticket > Actions" of the system.) When the File Integrity Monitor executes, it generates a special error severity message when any changes are detected to the system. The REPORT_FIM.bat file is configured by the operator to execute when this special message is received. The script queries the remote File Integrity Monitor for a list of changes (using the "rfmconf.exe" program documented previously in this manual.) The REPORT_FIM.bat file then formats this list into an e-mail message and sends the message to the specified user.


The REPORT_FIM.bat file contains additional notes, in the form of program commentary, which may be useful to developers or administrators. See this file, located in the CorreLog/actions/REPORT_FIM.bat location of the system.

Configuration Procedure

First the user should configure the "System > SMTP settings of the system, and verify that the system is correctly configured to send e-mail. This includes testing of the e-mail interface (via the "Test" button on the "System > SMTP" screen.) Once the SMTP server settings have been configured, the user clicks the "Correlation > Actions" tab, and then clicks "AddNew" to add a new action to the system. The settings for this program should be exactly as shown below. Match Severity: GE ERROR

Match Expression: "CorreLog File Monitor"

Action Program Name: REPORT_FIM.bat

Action Program Arguments: (e-mail address)

Note that (1) the Match Expression should include double quotes to match the entire phrase and; (2) the Action Program Arguments should be the e-mail address that receives the File Integrity Monitor report. The user can apply additional qualifiers, such as a match address. After configuring the above items, the user can test the system by adding a new file to the system (such as a "TEST.EXE" file to the "system32" directory) and can run a new check of the system. This will generate a report showing the changes, including the addition of the new file.

Caveats Usage of the script requires proper operation of the "system\rfmconf.exe" program, such as allowing access through any firewalls of the system. Generally, the user should verify that the CorreLog system actually has access to the file integrity monitor remote configuration functions by clicking on an IP address of a remotely executing File Integrity Monitor Agent. The user will continue to receive e-mail messages so long as the condition exists. To reduce the amount of e-mail, the user can (1) schedule the File Integrity Monitor to run less frequently (such as once a day) or; (2) can correct the problem to eliminate the error or; (3) can manually generate a new image file or; (4) or can set the "Auto-Generate" image file to "True".


For Additional Help … Detailed specifications regarding the CorreLog Server, add-on components, and resources are available from our corporate website. Test software may be downloaded for immediate evaluation. Additionally, we are pleased to support proof-of-concepts, and provide technology proposals and demonstrations on request. CorreLog, Inc., a privately held corporation, has produced software and framework components used successfully by hundreds of government and private operations worldwide. We deliver security information and event management (SIEM) software, combined with deep correlation functions, and advanced security solutions. CorreLog markets its solutions directly and through partners. We are committed to advancing and redefining the state-of-art of system management, using open and standards-based protocols and methods. Visit our website today for more information.

CorreLog, Inc. http://www.CorreLog.com mailto:[email protected]

Documents

File Integrity Monitor (FIM) - CorreLog.com · that instrument a Windows Vista, XP, or 20XX operating system to continuously check the integrity of selected files. This permits the