Difference between revisions of "ASL file integrity manager"

From Atomicorp Wiki
Jump to: navigation, search
m (Accessing)
m (Configuring)
 
Line 111: Line 111:
  
 
This tells ASL to ignore a specific file or directory.  This is useful if you want to ignore a file or files in a directory you otherwise want to monitor or notify.
 
This tells ASL to ignore a specific file or directory.  This is useful if you want to ignore a file or files in a directory you otherwise want to monitor or notify.
 +
 +
===== Types of events =====
 +
 +
====== Real Time ======
 +
 +
This tells the file integrity management system to alert you if a file changes, in real time.  As opposed to occassionally scanning the system to see if the file changes.  We recommend you always use Real Time.
 +
 +
====== All ======
 +
 +
Alert if any of the types of changes below occur.
 +
 +
====== Sum ======
 +
 +
Alert if the Sum hash changes, which will occur if the file changes.  This is a low security, low effort check.
 +
 +
====== SHA 1 ======
 +
 +
Generate an SHA1 hash for the file, and alert if it changes.  This is a high security, medium effort check.
 +
 +
====== MD5 ======
 +
 +
Generate an MD5 hash for the file, and alert if the file changes.  This is a low security, medium effort check.
 +
 +
======Size ======
 +
 +
Generate an alert if the size of the file changes.  This is a low security, nearly zero effort check.
 +
 +
======Owner======
 +
 +
Generate an alert if the owner of file or directory changes.  This is a medium security, nearly zero effort check.
 +
 +
======Group======
 +
 +
Generate an alert if the group ownership of the file or directory changes.  This is a medium security, nearly zero effort check.
 +
 +
======Perms======
 +
 +
 +
Generate an alert if the permissions of the file or directory changes.  This is a medium security, nearly zero effort check.
 +
 +
======Report======
 +
 +
For Watch rules, if a file changes ASL will report what changed in the file if the file is text based, for example configuration files, web application files and other files that are text based.  If the file is not text based, ASL will record the change and will store either a diff of the file (just the changes), or a copy of the original and new file for examination. 
 +
 +
Note:  This can use up a lot of drive space if directories are being watched that include lots of changes, or large file changes.
 +
 +
======Restrict======
 +
 +
This allows you to define a regular expression to limit the scope of the path.

Latest revision as of 16:50, 8 July 2016

Contents

[edit] Introduction

ASL has an advanced file integrity manager built in that will alert you if file changes have occurred on your system. ASL does not use rkhunter for this.

[edit] Accessing

To access the ASL file intergrity manager, follow this process

Step 1) Log into the ASL web console

Step 2) Click on the ASL tab

Step 3) Scroll down to File Integrity and click on that option.

This will open the file integrity manager.

If any files have changed, that the system is configured to monitor, it will display them in this window under the "Files" Tab.

[edit] Using

[edit] If ASL does not show any file integrity changes

This means that any changes to the file system, such as inodes changing for a file, are benign and ASL has determined these were authorized and non-malicious changes to the system.

[edit] Configuring

Step 1) Log into the ASL web console

Step 2) Click on the ASL tab

Step 3) Scroll down to File Integrity and click on that option.

This will open the file integrity manager.

Step 4) Click on the "Options" tab.

This will open the file integrity manager options page.

[edit] Global Options

[edit] Scan Timing

If you are using the ASL kernel, file integrity checks happen in real time and you do not need to configure this. If a file changes, and you have not put a limit on the number of emails ASL is allowed to send per hour, ASL will immediately alert you via email and the web console if a watched file or directory changes.

If you are not using the ASL kernel, and your kernel does not support inotify, you will need to set the scan timing frequency for when ASL will checks your files for changes.

[edit] Frequency

This setting tells ASL, when the ASL kernel is not being used, how often to check for file changes. If you are using the ASL kernel checks happen in real time you do not need to set this.

This setting is in hours : minutes : seconds.

For example, if you want to set this happen every hour, you would set this to 1:0:0

[edit] Scan Day

You can also set a specific day for the scans to run, if you only wish to run them periodically. Again, if you are using the ASL kernel checks happen in real time you do not need to set this.

[edit] Scan Time

Optional Setting: You can also set the specific time to run the checks. Again, if you are using the ASL kernel checks happen in real time you do not need to set this.


[edit] Scan Options

[edit] Auto-ignore frequently modified?

ASL can also learn if a file changes regularly to ignore previous notifications of changes to this file.

[edit] Alert on new file creation?

ASL can alert on new files that are created in watched directories.

[edit] Scan on startup?

This tells ASL to build its list of files to watch on startup. We do not recommend you disable this, as ASL will not be able to notify of any changes to your files until its down its initial scan.

[edit] Directories

This window lists the directories, and optionally the files, that ASL has been configured to monitor.

[edit] add a new rule

[edit] watch

This tells ASL to watch a directory or file, and to report the specific changes that have occurred to this file or directory. ASL will report the previous portion of the file, and the changed portion so you can compare them. ASL will maintain copies of all changes to the files it is told to watch, and you can you this information to roll back changes and to do deep inspection of changes as opposed to trying to determine what specifically happened to the file.

ASL will also report this information, if selected:

  • Sum
  • SHA1
  • MD5
  • Size
  • Owner
  • Group
  • Permissions


[edit] notify

This tells ASL to notify you if a directory or file has changed. This will not report the specific changes that have occurred to this file or directory, except for, if selected:

  • Sum
  • SHA1
  • MD5
  • Size
  • Owner
  • Group
  • Permissions
[edit] ignore

This tells ASL to ignore a specific file or directory. This is useful if you want to ignore a file or files in a directory you otherwise want to monitor or notify.

[edit] Types of events
[edit] Real Time

This tells the file integrity management system to alert you if a file changes, in real time. As opposed to occassionally scanning the system to see if the file changes. We recommend you always use Real Time.

[edit] All

Alert if any of the types of changes below occur.

[edit] Sum

Alert if the Sum hash changes, which will occur if the file changes. This is a low security, low effort check.

[edit] SHA 1

Generate an SHA1 hash for the file, and alert if it changes. This is a high security, medium effort check.

[edit] MD5

Generate an MD5 hash for the file, and alert if the file changes. This is a low security, medium effort check.

[edit] Size

Generate an alert if the size of the file changes. This is a low security, nearly zero effort check.

[edit] Owner

Generate an alert if the owner of file or directory changes. This is a medium security, nearly zero effort check.

[edit] Group

Generate an alert if the group ownership of the file or directory changes. This is a medium security, nearly zero effort check.

[edit] Perms

Generate an alert if the permissions of the file or directory changes. This is a medium security, nearly zero effort check.

[edit] Report

For Watch rules, if a file changes ASL will report what changed in the file if the file is text based, for example configuration files, web application files and other files that are text based. If the file is not text based, ASL will record the change and will store either a diff of the file (just the changes), or a copy of the original and new file for examination.

Note: This can use up a lot of drive space if directories are being watched that include lots of changes, or large file changes.

[edit] Restrict

This allows you to define a regular expression to limit the scope of the path.

Personal tools