File Integrity Monitoring

[smahmudFS]

Notes

Since Splunk integration is not going fast enough to meet the September 21 Deadline for POAM closure. We need to determine what can we do with the existing audit logs to perform minimal File Integrity Monitoring. Or better still would be to create a script that performs a checksum of the file or Directory and then the users get alerted to when a file has changed. Here is the link for the Splunk Simple FIM tool I intended to use just so we have this captured: https://gosplunk.com/simple-file-integrity-monitoring-management-dashboard/

@ Abdul - Please check to see if we can do at a minimum tasks 1 and 2. You may need to reach out to the development team for the information in task 1. Then we need to see if we have file level visibility via the exiting audit logs.

Acceptance Criteria

• [ ] Create a script that performs a checksum of the file or Directory and then the users get alerted to when a file has changed. Alert takes place.

Tasks

• [ ] What files are critical to our application’s functions? Need a List of these Files/Directories for each deployment.
• [ ] Can these files be monitored based on current audit logs information such as System call to specific Directories?
• [ ] Detect if any write activity has been done to them (new file inserted/written/modify, rename, delete)
• [ ] Create a script that performs a checksum of the file or Directory and then the users get alerted to when a file has changed.

Definition of Done

• [ ] Ability to get alerts if a file change took place
• [ ] Resolution to existing POAMS 28214, 16, 17, 18.

[ASprinkle]

@aaronburk @smahmudFS is this a story suited for the Program Board?

[carlsonem]

Will be moved over to the program board