TestDrive

File Integrity Control / Monitoring Overview

Updated

This activity will custom rules specific to FIM/FIC. For more information on custom rules see Section 3.2.3.

File Integrity Monitoring

VMware Carbon Black App Control has the capabilities to perform File Integrity Monitoring and Control (FIM/FIC).

Consider an important file that you wish to track access/changes. In this scenario we have included such a file, sales.xls, on the App Control device desktop. This file is one we wish to monitor but not restrict changes to.

Before we test this scenario, let's take a look at the FIM rule that has been created within this App Control Server.

  • Login to the App Control console. For information on accessing the console see Section 1.2.
  • From the top menu, click 'Rules' to expand available options, then select 'Software Rules' from the dropdown

 

Software Rules Menu

Sales FIM Rule

Sales FIM Rule
  • On the Software Rules page, click the 'Custom' tab to view custom rules
  • View the FIM - sales.xls rule

This rule will report any changes (writes, deletes, renames, etc.) to the sales.xls document. After testing this rule we will view the generated event reports in the App Control console.

Sales xls

Sales xls

Let's now make a change to the sales.xls document.

  • Open the sales.xls spreadsheet document
  • Edit a cell (or cells) and save the file

Events

Events

Now that we have made a change to our monitored document, let's view the report in the App Control console.

  • In the App Control console, click the 'Reports' tab from the top menu to expand options, then select 'Events'

The Events page shows all recorded events App Control collects, including blocks, files executed, actions by console admins, and more. This data can be searched and filtered through to find relevant information - and any searches can be saved for future reuse (Saved Views).

Events FIM

Events FIM

In this lab we've created a saved view for the FIM use case called 'FIM by User'. This view looks for the custom rule report on the sales.xls file, and also groups events by editing user (within the last day).

  • Select the 'FIM by User' view to view file change events
  • Expand your username to view the event related to the change (or changes) you made to sales.xls

Dashboard List

Dashboard List

Another way to visualize events (and see reports from our custom rule) is in a Dashboard. App Control admins can create and customize dashboards, share them across console members, and even add them to the home page. A dashboard consists of a series of portlets, each of which provides summary information or controls that can help you manage the security of your computers and the files on them.

In this lab we have already created a dashboard for our sales.xls FIM use case.

  • In the App Control console, from the top menu, click the 'Reports' tab to expand options then select 'Dashboards'
  • On the dashboard page, click the dashboard name 'FIM Sales .xls' to view

FIM Chart

FIM Chart

As with the rest of the App Control solution, dashboards offer admins a great deal of flexibility. Dashboards can combine multiple portlets - all of which can be customized by chart type, filtered by certain data, and much more. If this was a very valuable chart that admins were constantly checking it may be useful to add to our homepage.

File Integrity Control

Software Rules Menu

In the previous section we completed an activity on a monitored file that reports changes. What if we want to control (and prevent) users from editing a specific document(s)? We can use another custom File Integrity Control rule - but this time block changes.

In this scenario we have included such a file, salary.xls, on the App Control device desktop. This file is one we wish to restrict changes to - we don't want any user to be able to change important company salary data!

Before attempting to change our protected file, let's view the correlating FIC rule in the App Control Console.

FIC Rule

FIC Rule
  • On the Software Rules page, click the 'Custom' tab to view custom rules
  • View the FIC - salary.xls rule

This rule will restrict any changes (writes, deletes, renames, etc.) to the salary.xls document.

AC Notification FC

AC Notification FIC

Let's now attempt to make a change to the salary.xls document.

  • Open the salary.xls spreadsheet document
  • Edit a cell (or cells) and save the file
  • You will receive a notification from App Control that this has been blocked, click okay once notifications have appeared to dismiss

FIC View

FIC View

Now that we have attempted to modify our controlled document, let's view the report in the App Control console.

  • In the App Control console, click the 'Reports' tab from the top menu to expand options, then select 'Events'

In this lab we've created a saved view for the FIC use case called 'FIC by User'. This view looks for the custom rule report on the salary.xls file, and also groups events by editing user (within the last day).

  • Select the 'FIC by User' view to view file change events
  • Expand your username to view the event related to the attempted change (or changes) you made to salary.xls
Previous Article Rule Discovery Overview
Next Article Contact Us, Additional Resources and other TestDrive Experiences