File integrity monitoring (FIM) is a security control that detects potentially unauthorized change events to your operating system and application files. Alert Logic FIM capabilities support PCI DSS requirements 10.5.5 and 11.5 and provide additional context as you investigate potential attacks or compromised assets. The following information will help guide you to satisfying the compliance requirements for PCI DSS 10.5.5 and 11.5 with our FIM capabilities.
Note: Security best practices and frameworks like NIST SP 800-53 are also an excellent way to ensure you have proper security controls in place. FIM is listed in Control # SI-7 (7) & (8) of NIST SP 800-53. Alert Logic FIM capabilities are only available in the Managed Detection & Response platform.
PCI DSS Requirements 10.5.5 and 11.5
The information in this article will support you in setting up a FIM policy that includes monitoring paths and reporting to achieve the following PCI DSS FIM requirements:
- PCI Requirement 10.5.5: Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts.
- PCI Requirement 11.5: Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, content files, and configure the software to perform critical file comparisons at least weekly.
You must have Managed Detection & Response Professional or Enterprise entitlements to utilize FIM.
In order to effectively set up FIM deployments to comply with PCI DSS requirements 10.5.5 and 11.5, you will need to identify what servers are in scope for PCI within the deployments you have configured in the Alert Logic console. We also recommend you make a list of the file paths you need monitored, as well as those that you will want excluded from monitoring.
While Alert Logic provides 42 pre-approved monitoring paths, you can customize file paths down to the file type or file name. By default, when FIM is turned on, it will monitor all assets within a deployment; however, you can choose to specify only some hosts, subnets, VPCs, etc. to apply FIM to within the deployment.
After you have completed these pre-deployment activities, log in to the Alert Logic console and navigate to the File Integrity Monitoring dashboard.
Navigating the File Integrity Monitoring Dashboard
The File Integrity Monitoring dashboard, found within the Alert Logic console at Dashboards > File Integrity Monitoring, provides an at-a-glance view of your FIM deployments. Aside from the File Path Monitoring Status and Monitored File Types widgets, each widget is time-bound based on your selection of the last 7, 14, 30-day, or custom date range up to 90 days. Using the time-based ranges will help you identify your top deployments that are generating the most file change events based on file path. The File Integrity Monitoring dashboard also provides a snapshot of the number of files being created, modified, and deleted in the time range you select. We recommend you utilize this dashboard as your starting point when assessing and managing FIM capabilities.
If ever you need to troubleshoot FIM-related issues, Alert Logic recommends you start with the Top File Paths widget in the File Integrity Monitoring dashboard. Here, you can quickly identify the deployments you have enabled for FIM and the quantity of events being generated; noisy files or file paths may be good candidates for tuning with exclusions. You can often identify a noisy deployment's exact server using the Top FIM Event Systems widget.
If you see a spike in Delete numbers within the FIM Event Action Trends widget that you weren't expecting, we recommend you access the FIM Event Actions widget and click GET ALL EVENTS. This will download all FIM events from the initial configuration to present day in a CSV file, with which you can determine what deployment, server, or files were deleted.
When configuring file integrity monitoring, you must select which deployment in your environment you want to apply FIM to. FIM can be applied to all deployment types with an Alert Logic agent - Microsoft Azure, Amazon Web Services, Google Cloud Platform, and on-premise. For full configuration steps, see our Configure File Integrity Monitoring documentation.
Note: Once you enable and configure FIM for a deployment, it will be applied to all assets within that deployment. If you only want to apply FIM to a specific host, group of hosts, VPC, subnet, etc., see the Configuring Custom File Paths section below.
Enabling Pre-Populated Directory Paths
Alert Logic offers 42 pre-populated directory paths across GNU/Linux, Windows File, and Windows Registry file types within the Alert Logic console at Configure > Deployments > the deployment you are enabling FIM on > File Integrity Monitoring > Monitoring. You can choose to enable all 42 directory paths or only those that your organization identifies as helpful in achieving PCI DSS.
If you choose to turn on monitoring for all pre-populated directory paths in a file type seen on the Monitoring page, check the empty box next to the file type's name, above its list of directory paths, and slide the Monitor toggle that appears in the blue pop-up at the bottom of the page to the right.
Available Pre-Populated Directory Paths
- C:\Program Files\Microsoft Security Client\msseces.exe
- C:\Progralm Files\My Custom App\customapp.exe
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
Configuring Custom File Paths
Aside from the pre-populated paths Alert Logic provides, you can also configure custom file paths. This can be achieved in a few ways within the Add File Integrity Monitoring page, found at Configure > Deployments > the deployment you are configuring FIM on > File Integrity Monitoring > Monitoring > Add ():
- Add your own base file path that will recursively monitor anything created, modified, or deleted in that directory path.
- Explicitly choose what you want monitored, down to the exact file or file type. For example, base path /texas has several files, one of which is houston.pdf, and you can choose to only see file change events for houston.pdf.
- Configure a wildcard like *.pdf that would cover anything with a .pdf extension. You can add delimiters for multiple wildcard file types in the same base path - *.tab | *.dat | *.pdf | *.tmp.
Editing Asset Scopes
While creating your custom file path within the Add File Integrity Monitoring page, you can apply it to a specific region, subnet, VPC, host, or tags with the Asset Scoping field if you do not want your monitoring configuration applied to the entire deployment.
Note: If you leave all the fields blank in the Add File Integrity Monitoring page and click Save, the monitoring you've set up will apply to every asset in the deployment with an Alert Logic agent.
Alert Logic recommends you do not enable monitoring until you have completed configuring all desired custom file paths. When you have completed configuring your policy, access the Monitoring page and flip the toggle to Monitor for all applicable files and file paths, or, if you are turning on monitoring for all file paths, you can make a bulk change by checking the blank box to the left of the All File Types drop-down and move the toggle in the pop-up at the bottom to Monitor.
Note: You can create up to 1,000 custom paths on one deployment.
Directories and file types you do not want monitored can be tuned with the use of exclusions in the Alert Logic console. This feature is found at Configure > Deployments > the deployment whose FIM monitoring you want tuned > File Integrity Monitoring > Exclusions.
Exclusion example: You have a database file that keeps track of your pen and pencil inventory. This is not a critical file for you, and you do not want to be alerted if someone modifies this file.
There are no pre-populated paths for exclusions, so you must configure all desired exclusions. This can be achieved in a few ways within the Add File Integrity Exclusion page, which can be accessed by clicking the Add icon () on the Exclusions page:
- Add your own base file path that will recursively not monitor anything created, modified, or deleted in that directory path.
- Explicitly choose what you want excluded, down to the exact file or file type. For example, you can exclude a base path /do/not/monitor's file penandpencil.dbf, and alerts would not be generated for penandpencil.dbf.
- Configure a wildcard like *.pdf that would exclude anything with a .pdf extension. You can add delimiters for multiple wildcard file types in the same base path - *.tab | *.dat | *.pdf | *.tmp.
Editing Asset Exclusions
While creating your custom exclusion within the Add File Integrity Exclusion page, you can apply it to a specific region, subnet, VPC, host, or tag with the Asset Exclusions field if you do not want your monitoring exclusion applied to the entire deployment.
Note: If you leave all the fields blank in the Add File Integrity Exclusion page and click Save, the exclusion you have set up will apply to every asset in the deployment with an Alert Logic agent.
You can quickly duplicate monitored and excluded files, which can be helpful when adding more explicit file names. This feature - found at either Monitoring or Exclusions > View a file > Duplicate - only applies to files with the File Name or Path field populated.
Duplicate example: You can duplicate file houston.pdf and change its name to austin.pdf. Once you save this change, you will be monitoring both houston.pdf and austin.pdf.
You can schedule reports to be emailed to you or a group of individuals within your organization to review at a regular cadence. Reports can be scheduled daily, weekly, or monthly and will generate all file changes to your FIM deployment policy. This is important regardless of whether you are working with a Qualified Security Assessor or doing a PCI DSS self-assessment.
To configure a report in the Alert Logic console, navigate to Manage > Notifications > Schedules > Add () > Schedule a FIM Search. The PCI standard recommends you receive reports weekly, but Alert Logic suggests you receive them daily so you can react more quickly to any malicious or unauthorized activity. You will also have less material to review if you receive reports daily, which can save time. We also recommend you check the boxes for Attach CSV File and Receive a notification even if the scheduled search yields no results. The latter allows you to prove that you are running a report on this data, even if that report offers no results.
When a file integrity monitoring search is generated, you will receive an email containing a CSV attachment that can be downloaded. You can also select View Results in the email, and you'll be directed to the Alert Logic console to download the report.
Note: If a CSV file is larger than 10 MB, Alert Logic will only provide a link to the results via the Alert Logic console.
The CSV output created from your report will provide you with information on any file changes, including, but not limited to, time stamp, host name, file path, event type, SHA1 hash, and deployment.