Installing the FIM Add-on for PCF

Page last updated:

This topic describes how to install File Integrity Monitoring Add-on for PCF (FIM Add-on) on your Pivotal Cloud Foundry (PCF) deployment.

Prerequisites

Note: FIM Add-on for PCF does not work on Windows.

To complete the FIM installation:

Create the FIM Manifest

The FIM manifest is a YML file that contains runtime configuration information for the FIM Add-on. Follow the steps below to create the FIM manifest for your deployment:

  1. Create a file named fim.yml, using the following code as a template.
    releases:
    - name: fim
      version: 1.0.0
    addons:
    - name: fim
      jobs:
      - name: fim
        release: fim
      properties: {}

Download and Deploy the FIM Add-on

  1. Download the FIM Add-on software binary from the Pivotal Network to your local machine.

  2. Copy the software binary to your Ops Manager VM.

    $ scp -i PATH/TO/PRIVATE/KEY fim-release.tar.gz ubuntu@YOUR-OPS-MANAGER-VM-IP:

  3. Copy the FIM manifest, fim.yml file, to your Ops Manager instance.

    $ scp -i PATH/TO/PRIVATE/KEY fim.yml ubuntu@YOUR-OPS-MANAGER-VM-IP:

  4. SSH into Ops Manager.

    $ ssh -i PATH-TO-PRIVATE-KEY ubuntu@YOUR-OPS-MANAGER-VM-IP

  5. On the Ops Manager VM, navigate to the software binary location.

    $ cd PATH-TO-BINARY

  6. On the Ops Manager VM, target your BOSH director instance.

    $ bosh target YOUR-OPS-MANAGER-DIRECTOR-IP
    Target set to 'Ops Manager'
    Your username: director
    Enter password: ******************
    Logged in as 'director'
    

  7. Upload your release.

    $ bosh upload release PATH-TO-BINARY/BINARY-NAME.tar

  8. From the command line, confirm that the upload of the FIM software binary completed. You should see the FIM release.

    $ bosh releases

  9. Update your runtime configuration to include the FIM Add-on.

    Note: If you installed other BOSH add-ons, you must merge the FIM manifest into your existing add-on manifest. Append the contents of fim.yml to your existing add-on YML file.

    $ bosh update runtime-config PATH/YOUR-ADD-ON-YML.yml
  10. Verify your runtime configuration changes match what you specified in the FIM manifest.

    $ bosh runtime-config
    Acting as user 'admin' on 'micro'
    releases:
    - name: fim
      version: 1.0.0
    
    addons: name: fim jobs: - name: fim release: fim ...

  11. Navigate to your Installation Dashboard in Ops Manager.

  12. Click Apply Changes.

Configure Forwarding for FIM Alerts

The fim BOSH release writes all alerts to the syslogs of the VMs in your deployment. You can use syslog forwarding to forward the alerts to a syslog aggregator.

  • Using the Elastic Runtime tile: Follow the steps to Configure System Logging in the Elastic Runtime tile. The syslog aggregator that you specify receives all alerts generated on Elastic Runtime VMs, including the FIM alerts.
  • Using the BOSH syslog release: You can use the syslog BOSH release to forward system logs. See the syslog-release for instructions.

Note: When you configure syslog forwarding, ensure enough disk space for the logs. Make sure that log rotation is frequent enough. If in doubt, rotate the logs hourly or when they reach a certain size. Pivotal recommends forwarding logs to a remote syslog aggregation system.

Verify the Installation

  1. BOSH ssh into one of the VMs in your deployment.

  2. Run monit summary. Look for the following processes in the output:

    The Monit daemon 5.2.4 uptime: 3d 0h 56m
    Process 'fim'                 running
  3. If monit summary does not list fim, perform the following steps:

    1. Start the FIM processes by running the following commands:
      $ monit start fim
      
    2. Run monit summary again. If you do not see the processes mentioned above, check /var/vcap/sys/log/fim logs for errors.
  4. If monit summary does list fim, do the following:

    1. Enter the following commands:
      $ touch /bin/hackertool
      $ grep hackertool /var/log/messages
    2. Look for a message that a new file has been created:
      Sep 22 23:57:07 qvsfgv0qnrk filesnitch[3040]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5| fname="/bin/hackertool" hostname="f98968fe-501a-470b-819a-c4a2a7ac45c8" opname="CREATE" optype=1 ts=1474588627
Create a pull request or raise an issue on the source for this page in GitHub