File Integrity Monitoring

Alert Logic offers File Integrity Monitoring which allows you to monitor changes to files and directories of assets associated with your Alert Logic deployments in the Alert Logic console. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems.

File Integrity Monitoring allows you to be aware of file changes and related details in your deployment. The following are examples of what you can monitor:

  • When a file was created and last modified
  • Unauthorized access to specific files
  • Security permission changes, such as newly added permissions, deleted permissions and changes to existing permissions
  • Registry changes, such as changed registry values, removed registry keys and sub keys
  • Changes in system binaries and configuration files, and new processes

After you set up File Integrity Monitoring, you can schedule a weekly or monthly search of changes to your File Integrity Monitoring setups, and be notified when the search is complete. This can help you keep records of changes to your systems for compliance requirements.

You can also view the File Integrity Monitoring dashboard for a summary of your file monitoring activity.

To access the File Integrity Monitoring page, click the menu icon () from the Dashboards page. Click Configure, and then click the deployment for which you want to configure file monitoring. On the left navigation panel, click File Integrity Monitoring.

File Integrity Monitoring is composed of two subsections: Monitoring and Exclusions. On the Monitoring page, you can setup files and directories for monitoring from the default file types listed on the page. In the Exclusions page, you can exclude files and directories from monitoring, which will override a previously configured file monitoring setup.

Monitoring page

On the Monitoring page, you can configure monitoring for default files and directories. You must scope assets that you want monitored for that file or directory path. You do not need to edit or remove the default file paths. After you have applied the asset scoping to the file path, you must enable each file individually to start monitoring.

Default directories and files

Alert Logic can monitor all default directories and files listed below for GNU/Linux files, Windows files, and Windows Registry. Click the All File Types drop-down menu to select a file type for the default directories and files you want to view.

Add a File Integrity Monitoring setup

There are two different ways to add a File Integrity Monitoring setup. You can click the add icon (), or find the default file or directory from the list for which you want to monitor. After you have filled out all required fields and scoped your assets, you must turn on Monitor.

To add a File Integrity Monitoring setup from the add icon:

  1. Click the add icon ()
  2. In the Select File Type drop-down list, select a file type.
  3. In the Base Directory Path field, enter the file path that you want to monitor.
  4. In the Pattern field, enter the pattern of the files that you want to monitor.
  5. Select Monitor to enable monitoring for this file or directory.
  6. In the Add or Remove Assets section, click Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
  7. Click SAVE.
  8. Ensure Monitor is turned on for the file you just scoped.

To add a File Integrity Monitoring setup from the list:

  1. Click the All File Types drop-down list, and then select a file type to filter the list to its default files and directories.
  2. Find the file path you want to scope assets for monitoring.
  3. Click View, and then click the Edit.
  4. Ensure Monitor is selected to enable monitoring for this file or directory.
  5. In the Add or Remove Assets section, click the Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
  6. Click SAVE.
  7. Ensure Monitor is turned on for the file you just scoped.

Duplicate an existing File Integrity Monitoring setup

You can use the duplicate feature if you want to copy an existing File Integrity Monitoring setup and only make changes to the asset scoping section.

To duplicate an existing File Integrity Monitoring setup:

  1. Click View, and then click the duplicate icon () for the file path or directory you want to copy.
  2. Ensure Monitor is selected to enable monitoring for this file or directory.
  3. Make the necessary changes to the asset scoping.
  4. Click SAVE.
  5. Ensure Monitor is turned on for the file you just scoped.

Edit an existing File Integrity Monitoring setup

To edit an existing File Integrity Monitoring setup:

  1. Click View, and then click the edit icon () for the file path you want to edit.
  2. Ensure Monitor is selected to enable monitoring for this file or directory.
  3. Make the necessary changes to the asset scoping.
  4. Click SAVE.
  5. Ensure Monitor is turned on for the file you just scoped.

Bulk edit multiple file paths

You can bulk edit multiple file paths at once to add or remove assets in scope, or replace assets in scope with other assets.

To bulk edit multiple file paths:

  1. Click the All File Types drop-down list, and then select a file type to filter the list to its default files and directories.
  2. Select the check box to bulk select all the files in that file type.
  3. At the bottom of the page, click the scope icon ().
  4. Under Selected File Paths, you can remove file paths that you do not want to edit. You can use the search bar to find assets you want to remove, and then click the remove icon ().
  5. In the Asset Scoping section, select Add more assets to add more assets to monitor, or select Replace existing assets with a new asset scope to remove your existing assets in scope and replace with other assets.
  6. Click the Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
  7. Click SAVE.
  8. Ensure Monitor is turned on.

Exclusions page

On the Exclusions page, you can add file paths or directories you want to exclude from monitoring. Your file path or directories exclusions will be listed on this page.

The exclusions you configure override files that are currently being monitored. This allows you to exclude specific files or sub-directories from an entire directory that you previously configured for monitoring.

To access the Exclusions page, you can click NEXT from the Monitoring page, or click Exclusions on the left navigation panel.

To add an exclusion:

  1. Click the add icon ()
  2. In the Select File Type drop-down list, select a file type.
  3. In the Base Directory Path field, enter the file path that you want to monitor.
  4. In the Pattern field, enter the pattern of the files that you want to monitor.
  5. In the Add or Remove Assets section, click the Search assets bar to enter the names of the asset you want to exclude, and then select assets to exclude from the populated options.
  6. Click SAVE.