File Integrity Monitoring for VMware Tanzu
Note: Pivotal Platform is now part of VMware Tanzu. In v2.1 and later, Pivotal File Integrity Monitoring is named File Integrity Monitoring for VMware Tanzu
Page last updated:
This documentation describes setting up and using File Integrity Monitoring for VMware Tanzu (FIM).
File Integrity Monitoring for VMware Tanzu provides logs of file and directory modifications in monitored paths. Operators and auditors use these logs to satisfy security requirements for file integrity monitoring for Ops Manager-managed BOSH VMs.
You can use FIM to help achieve compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
File Integrity Monitoring enables you to:
- Monitor Ops Manager-managed BOSH VMs and containers
- Specify path patterns to exclude
- Group path patterns under low severity
- Format log output
- Provide digest calculations of files
The following table provides version and version-support information about FIM.
|Release date||January 25, 2021|
|Compatible Pivotal Operations Manager versions||2.10, 2.9, and 2.8|
|Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions||2.11, 2.10, 2.9, and 2.8|
|Compatible VMware Tanzu Application Service for VMs [Windows] (TAS for VMs [Windows]) versions||2.11, 2.10, 2.9, and 2.8|
|Compatible BOSH stemcells||Ubuntu Xenial and Windows 2016, 1803, 2019|
|IaaS support||vSphere, GCP, AWS, Azure, and OpenStack|
File Integrity Monitoring has the following limitations:
- If you are upgrading from FIM v1.4, you must manually uninstall the runtime configs. For more information, see Upgrading File Integrity Monitoring.
The BOSH Context Adaptor for File Integrity Monitoring (BCAF) is a feature that reduces the number of logs that an operator needs to review. It notifies the Event Logger about BOSH events and lowers the severity of those events. This allows operators to focus on high severity events.
BCAF does this by observing BOSH Agent log entries, which are located at
When the BOSH Agent receives an event from the BOSH Director, the Agent begins to generate logs
corresponding to the events.
BCAF analyzes the start and end of the events, and lowers the severity of any BOSH-related paths in
the Event Logger.
These events are then output into
This diagram illustrates how the BOSH Context Adaptor analyzes BOSH events:
In the example shown in the diagram above, the BOSH Director starts an event and sends it to the BOSH
Agent. The BOSH Agent sends the
touch events to
fsnotify and begins to log the events
in the BOSH Agent log.
TimeStamp 1: BOSH event started ... TimeStamp N: BOSH event finished
The Context Adaptor analyzes the events taking place in the BOSH Agent log.
It observes that the directory
/var/vcap/foo and file
bar.txt are related during the
It then notifies the Event Logger that these are BOSH events and changes the severity level to
The log output from the Event Logger reflects this change:
... /var/vcap/foo is created [it is related to a normal BOSH event && severity is LOW] ... bar.txt is created [it is related to a normal BOSH event && severity is LOW] ...
For an example log entry, see Example of Log Message Identified by BCAF.
Note: A user or Ops Manager can start BOSH events.
For example, if a user initiates a BOSH deploy, this can create files and make directories.
Also, BCAF detects the initial action of doing an SSH through BOSH, but does not detect any commands run afterwards within the SSH session. If a user performs an SSH onto a VM and creates files or directories, that is not a “BOSH triggered event” and BCAF does not detect it.