Installing the FIM Add-on for PCF

Page last updated:

This topic describes how to install File Integrity Monitoring Add-on for PCF (FIM Add-on) on your Pivotal Cloud Foundry (PCF) deployment.

Prerequisites

Note: FIM Add-on for PCF does not work on Windows.

To complete the FIM installation:

Create the FIM Manifest

The FIM manifest is a YML file that contains runtime configuration information for the FIM Add-on. Follow the steps below to create the FIM manifest for your deployment:

  1. Create a file named fim.yml, using the following code as a template.
    releases:
    - name: fim
      version: 1.0.0
    addons:
    - name: fim
      jobs:
      - name: fim
        release: fim
      properties: {}

Download the FIM Add-on

  1. Download the FIM Add-on software binary from the Pivotal Network to your local machine.

  2. Copy the software binary to your Ops Manager VM.

    $ scp -i PATH/TO/PRIVATE/KEY fim-release.tar.gz ubuntu@YOUR-OPS-MANAGER-VM-IP:

  3. Copy the FIM manifest, fim.yml file, to your Ops Manager instance.

    $ scp -i PATH/TO/PRIVATE/KEY fim.yml ubuntu@YOUR-OPS-MANAGER-VM-IP:

  4. SSH into Ops Manager.

    $ ssh -i PATH-TO-PRIVATE-KEY ubuntu@YOUR-OPS-MANAGER-VM-IP

  5. On the Ops Manager VM, navigate to the software binary location.

    $ cd PATH-TO-BINARY

Deploy the FIM Add-on

Perform the following steps to deploy the FIM Add-on:

  1. Log in to the BOSH Director.

    • For Ops Manager 1.10 or earlier:
      1. On the Ops Manager VM, target your BOSH Director instance. For example:
        $ bosh target YOUR-OPS-MANAGER-DIRECTOR-IP
        Target set to 'Ops Manager'
        Your username: director
        Enter password: ******************
        Logged in as 'director'
        
    • For Ops Manager 1.11 or later:
      1. On the Ops Manager VM, create an alias in the BOSH CLI for your BOSH Director IP address. For example:
        $ bosh2 alias-env my-env -e 10.0.0.3
      2. Log in to the BOSH Director, specifying the newly created alias. For example:
        $ bosh2 -e my-env log-in
  2. Upload your release, specifying the path to the tarballed FIM binary, by running one of the following commands:

    • For Ops Manager 1.10 or earlier:
      $ bosh upload release PATH-TO-BINARY/BINARY-NAME.tar
    • For Ops Manager 1.11 or later:
      $ bosh2 -e my-env upload-release fim.tar
  3. List the releases by running one of the following commands, and confirm that FIM appears:

    • For Ops Manager 1.10 or earlier:
      $ bosh releases
    • For Ops Manager 1.11 or later:
      $ bosh2 -e my-env releases
  4. Update your runtime configuration to include the FIM Add-on, specifying the path to the fim.yml file you created above, by running one of the following commands:

    Note: If you installed other BOSH add-ons, you must merge the FIM manifest into your existing add-on manifest. Append the contents of fim.yml to your existing add-on YML file.

    • For Ops Manager 1.10 or earlier:
      $ bosh update runtime-config PATH/YOUR-ADD-ON-YML.yml
    • For Ops Manager 1.11 or later:
      $ bosh2 -e my-env update-runtime-config fim.yml
  5. Verify that your runtime configuration changes match what you specified in the FIM manifest by running one of the following commands:

    • For Ops Manager 1.10 or earlier:
      $ bosh runtime-config
    • For Ops Manager 1.11 or later:
      $ bosh2 -e my-env runtime-config

    For Example:

    $ bosh2 -e my-env runtime-config
    Acting as user 'admin' on 'micro'
    releases:
    - name: fim
       version: 1.0.0
    
    addons: name: fim jobs: - name: fim release: fim ...

  6. Navigate to your Installation Dashboard in Ops Manager.

  7. Click Apply Changes.

Configure Forwarding for FIM Alerts

Note: As of PCF v2.0, Elastic Runtime is renamed Pivotal Application Service (PAS). The following procedure uses both names.

The FIM BOSH release writes all alerts to the syslogs of the VMs in your deployment. You can use syslog forwarding to forward the alerts to a syslog aggregator.

  • Using the Pivotal Application Service (PAS) or Elastic Runtime tile: Follow the steps to Configure System Logging in the PAS or Elastic Runtime tile. The syslog aggregator that you specify receives all alerts generated on PAS or Elastic Runtime VMs, including the FIM alerts.
  • Using the BOSH syslog release: You can use the syslog BOSH release to forward system logs. See the syslog-release for instructions.

Note: When you configure syslog forwarding, ensure enough disk space for the logs. Make sure that log rotation is frequent enough. If in doubt, rotate the logs hourly or when they reach a certain size. Pivotal recommends forwarding logs to a remote syslog aggregation system.

Verify the Installation

  1. BOSH ssh into one of the VMs in your deployment.

  2. Run monit summary. Look for the following processes in the output:

    The Monit daemon 5.2.4 uptime: 3d 0h 56m
    Process 'fim'                 running
  3. If monit summary does not list fim, perform the following steps:

    1. Start the FIM processes by running the following commands:
      $ monit start fim
      
    2. Run monit summary again. If you do not see the processes mentioned above, check /var/vcap/sys/log/fim logs for errors.
  4. If monit summary does list fim, do the following:

    1. Enter the following commands:
      $ touch /bin/hackertool
      $ grep hackertool /var/log/messages
    2. Look for a message that a new file has been created:
      Sep 22 23:57:07 qvsfgv0qnrk filesnitch[3040]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5| fname="/bin/hackertool" hostname="f98968fe-501a-470b-819a-c4a2a7ac45c8" opname="CREATE" optype=1 ts=1474588627
Create a pull request or raise an issue on the source for this page in GitHub