File Integrity Monitoring for VMware Tanzu

Note: Pivotal Platform is now part of VMware Tanzu. In v2.1 and later, Pivotal File Integrity Monitoring is named File Integrity Monitoring for VMware Tanzu

Page last updated:

This documentation describes setting up and using File Integrity Monitoring for VMware Tanzu (FIM).

Overview

File Integrity Monitoring for VMware Tanzu provides logs of file and directory modifications in monitored paths. Operators and auditors use these logs to satisfy security requirements for file integrity monitoring for Ops Manager-managed BOSH VMs.

You can use FIM to help achieve compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).

Key Features

File Integrity Monitoring enables you to:

  • Monitor Ops Manager-managed BOSH VMs and containers
  • Specify path patterns to exclude
  • Group path patterns under low severity
  • Format log output
  • Provide digest calculations of files

Product Snapshot

The following table provides version and version-support information about FIM.

Warning: FIM Add-on on Windows is in beta.

Element Details
Version v2.1.3
Release date May 20, 2020
Compatible Pivotal Operations Manager versions 2.7, 2.8 and 2.9
Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions 2.7, 2.8 and 2.9
Compatible VMware Tanzu Application Service for VMs [Windows] (TAS for VMs [Windows]) versions 2.7, 2.8 and 2.9
Compatible BOSH stemcells Ubuntu Xenial and Windows 2016, 1803, 2019
IaaS support vSphere, GCP, AWS, Azure, and OpenStack

Limitations

File Integrity Monitoring has the following limitations:

  • Windows support is in beta
  • If you are upgrading from FIM v1.4, you must manually uninstall the runtime configs. For more information, see Upgrading File Integrity Monitoring.

File Integrity Monitoring Architecture

BOSH Context Adaptor for File Integrity Monitoring (BCAF)

The BOSH Context Adaptor for File Integrity Monitoring (BCAF) is a feature that reduces the number of logs that an operator needs to review. It notifies the Event Logger about BOSH events and lowers the severity of those events. This allows operators to focus on high severity events.

BCAF does this by observing BOSH Agent log entries, which are located at /var/vcap/bosh/log/current. When the BOSH Agent receives an event from the BOSH Director, the Agent begins to generate logs corresponding to the events. BCAF analyzes the start and end of the events, and lowers the severity of any BOSH-related paths in the Event Logger. These events are then output into /var/vcap/sys/log/fim/fim.stdout.log.

This diagram illustrates how the BOSH Context Adaptor analyzes BOSH events:

This image is described in the text below View a larger version of this image

In this example, the BOSH Director starts an event and sends it to the BOSH Agent. The BOSH Agent sends the mkdir and touch events to fsnotify and begins to log the events in the BOSH Agent log.

For example:

TimeStamp 1: BOSH event started
...
TimeStamp N: BOSH event finished

The Context Adaptor analyzes the events taking place in the BOSH Agent log. It observes that the directory /var/vcap/foo and file bar.txt are related during the mkdir event. It then notifies the Event Logger that these are BOSH events and changes the severity level to 3.

The log output from the Event Logger reflects this change:

...
/var/vcap/foo is created [it is related to a normal BOSH event && severity is LOW]
...
bar.txt is created [it is related to a normal BOSH event && severity is LOW]
...

For an example log message, see Example of Log Message Identified by BCAF.

Note: BOSH events can be started by either a user or Ops Manager. For example, if a user initiates a BOSH deploy, this can create files and make directories.

Also, BCAF detects the initial action of doing an SSH through BOSH, but does not detect any commands run afterwards within the SSH session. If a user performs an SSH onto a VM and creates files or directories, that is not a “BOSH triggered event” and is not detected by BCAF.