Troubleshooting the FIM Add-on for PCF

Page last updated:

This topic provides instructions to verify that File Integrity Monitoring (FIM) Add-on for PCF works with your Pivotal Cloud Foundry (PCF) deployment and makes general recommendations for troubleshooting.

About Troubleshooting FIM

This topic provides help for troubleshooting the runtime behavior, to ensure that the deployment is being protected in the way you expect.

BOSH Deploy Issues

Symptom

The FIM Add-on generates too much syslog activity during BOSH deploys.

Explanation

The FIM Add-on monitors and reports file changes. BOSH deployments often make changes to the monitored directories and files, which generates corresponding FIM syslog activity during the deployment.

The FIM Add-on watches for unexpected file changes in all the directories that you configure it to monitor. The default manifest configuration monitors files in many critical directories including /var/vcap/data/jobs and /var/vcap/data/packages. These directories are critical to the normal operation of PCF and are monitored because they are not expected to change during operation of the platform (between BOSH deploys).

Syslog messages generated during a BOSH deploy report file changes in the jobs and packages folders in /var/vcap/.... BOSH deploys update the files in these folders. Thus, the FIM Add-on reports filesystem events that are expected. You can consider these syslog messages either as confirmation of a succeeding BOSH deployment or as false positive events.

Solution

Events occurring during a planned BOSH deployments are normal and may be safely ignored.

To avoid the additional syslog traffic during a BOSH deploy, customize the FIM release deployment manifest to narrow the scope of FIM so that it does not include directories affected by deployments. You can do this either before you deploy BOSH (as a temporary measure) or as part of the normal FIM configuration. Consider your threat environment and risk tolerance and configure FIM Add-on accordingly.

FIM Add-on Runtime Issues

Symptom

Filesystem events are not reported. The logs are empty.

Explanation:

The FIM Add-on might not be running or might be misconfigured.

Solution

  • Check whether fim is running. monit summary should return the following output on success.

    The Monit daemon 5.2.5 uptime: 1d 20h 11m
    Process 'fim' running
  • If the process isn’t running, inspect the contents of /var/vcap/sys/log/fim/fim.std*.log files for clues.


Symptom

Filesystem events are not reported from a portion of the filesystem.

Explanation:

The FIM Add-on is configured to monitor a set of critical directories in the system. It is not configured to monitor the entire filesystem by default.

Solution

Refer to this configuration section for inspecting defaults and instructions on adjusting the list in the runtime manifest.


Create a pull request or raise an issue on the source for this page in GitHub