Integrity Monitoring - ensuring sensitive files, folders and system objects are not tampered with - is a key component of any Payment Card Industry Data Security Standard (PCI-DSS) compliance effort, but it is also just plain common sense for any organisation that runs a secure system.

HPE Integrity Detective (ID) was designed and written specifically for the HPE NonStop systems and can monitor files, both Guardian and OSS, the configuration of subsystems like Safeguard, Pathway, SSH, Netbatch and even some third party utilities. Any change to an item is detected and highly configurable alerts can be directed where needed.

KEY FEATURES

MONITORING - FILES AND SUBSYSTEMS

• Guardian and OSS files.

• Kernel-Managed Processes (Persistent Processes) – monitor properties.

• Netbatch Jobs and Attachment Sets.

• Pathway server and Pathmon properties.

• SSH monitoring for hundreds of parameters.

• CLIM configurations

• Folder watching: detect files added or deleted from watched subvolumes or subdirectories.

• Safeguard Objects. All Safeguard objects can be monitored. This includes all Access Control Lists (ACLs) for discs, files, processes, devices, etc. Also monitors Safeguard Groups, Object Types, SEEPs, and Globals.

• COM program output monitoring. As well as native Nonstop subsystems, ID can monitor third party subsystems or tools it has never seen before – as well as NonStop tools which do not have a simple programming interface.
  Some examples of those include:
  • OSS filesets

  • Expand lines

  • TMF

  • Data replication software (Shadowbase, DRNet, RDF etc)

  • Telnet/Secure Telnet services

  • Timesync

  • Spooler

  • swap file config (nskcom)

  • NonStop SSL/TLS

  • BASE24 NCPCOM

  • RMS security and config

  • TFDS

  • Secure Tape and more…

AUDITING:

• Full auditing of all actions (baselining of files or subsystems, control parameter changes, state transitions). EMS alerts.

SECURITY:

• Inbuilt security defining what each user can see or do within ID.

• Fully customizable user permissions.

DATABASE:

• Database stored on NonStop with capability for full protection via Safeguard.

INFRASTRUCTURE:

• No extra hardware or technology required.

ALERTING:

• Continuous monitoring generates real time alerts. Instantly sends alerts to SIEM (via syslog), EMS, or both. Alerts will also be displayed in the GUI.

• Found Values. ID captures a mismatched value and displays it in the GUI. User can see immediately the ‘should-be’ and ‘actual’ values.

• All settings fully configurable.

CHANGE DETECTION:

• If a file (or subsystem param) is changed and then changed back again to its baselined value, ID raises an “amber” alert, indicating that something may be amiss and should be checked.

HASHING

• SHA-256 hashing for FIM. This is a strong algorithm in compliance with PCI DSS.

DOCUMENTATION:

• Context sensitive help (F1 key) and comprehensive User Guide.

REPORTING:

• Comprehensive reporting on all objects. Output to file, spooler or back to the GUI.

• Reports on FIM files, compatible with legacy integrity monitoring tools, can be produced – either at end-of-checking-cycle or on a schedule.

USABILITY:

• Quick to set up, easy to configure.

• Can add multiple files from a subvol or multiple subvols simultaneously.

• Notes can be used to track changes and activity within ID. Users can tag a note against each and every object monitored. With the correct procedural discipline, this allows a history to be built up over time showing what has happened to an object and what remedies were actioned. This can reference change documents or trouble tickets so that auditors can see that the 'alleged' (documented) processes actually took place.

• Most screen have a built-in Print function. PDF ‘prints’ can be useful offline or as audit evidence.

PLATFORMS

Integrity Detective is available for HP NonStop servers from S-series to the latest NonStop X86 and vNS.
 

FREE EVALUATION

For a free, no obligation evaluation please click here.
 

MORE QUESTIONS?

If you have any questions or you'd like more information on Integrity Detective please contact us here.

WHAT IS FILE INTEGRITY MONITORING?

File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted ‘baseline’. If a FIM tool detects that files have been altered, updated, or compromised, it can generate alerts to ensure further investigation, and if necessary, remediation, takes place. File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.

WHY IS FILE INTEGRITY MONITORING IMPORTANT?

File integrity monitoring (FIM) software will scan, analyze, and report on unexpected changes to important files in an IT environment. In so doing, FIM provides a critical layer of file, data, and application security, while also aiding in the acceleration of incident response. The three primary file integrity monitoring use cases are:

DETECTING ILLICIT ACTIVITY

If an attacker intrudes upon your IT environment, you will need to know if they have tried to alter any files that are critical to your operating systems or applications. Even if log files and other detection systems are avoided or altered, ID can still detect changes to important parts of your IT ecosystem. With ID in place, you can monitor and protect the security of your files, applications, operating systems and data. It’s worth noting that ID isn’t just a ‘big brother’ tool, it can also be a friend - helping innocent staff prove they couldn't have dunnit!

VERIFYING UPDATE STATUS AND MONITORING SYSTEM HEALTH

You can check if files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.

PINPOINTING UNINTENDED CHANGES

Often, file changes are made inadvertently by an admin or another employee. Sometimes the ramifications of these changes may be small and go overlooked. Other times, they can create security backdoors, or result in dysfunction with business operations or continuity. File integrity monitoring simplifies forensics by helping you zero in on the errant change, so you can roll it back or take other remediation.

MEETING COMPLIANCE MANDATES

The ability to audit changes, and to monitor and report certain types of activity is required for compliance with regulatory mandates such as GLBA, SOX, HIPAA and PCI DSS.

INTEGRITY DETECTIVE AND PCI-DSS

Integrity Detective can be deployed to help fulfill Payment Card Industry Data Security Standard (PCI-DSS) Requirements:

11.5: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

12.10.5: Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.

HOME SCREEN SYSTEM TREE AND INTEGRITY STATUS

The system tree on the left shows the connected node status. A green 'thumbs up' indicates monitored files and settings have not changed. A red 'thumb down' indicates files and objects on the system have changed and the integrity check has failed. Double-clicking these icons will allow you to drill down for more detail.

USER CONFIGURATION SCREEN

It’s easy to configure each user’s level of access. Update (green with tick) allows full access to the relevant item. Read (yellow) allows read access only. Users only see the screens they have permissions for. All logging is done with the user’s real name.

File Integrity Monitoring (FIM)

Select the FIM tab to show the number of files being monitored. The panel can show both Guardian and OSS files and both are treated similarly by ID.

The display shows basic information about each file - Code, Owner and Security - properties most NonStop administrators will be familiar with.

Each file can have one of many FIM Status values, and each FIM status is assigned to one of three severity levels, Critical (red), Warning (amber) and Info (green).

Guardian FileSystem Tree and Integrity Status

This screen shows the new Watching menu options as well as extended (stop) monitoring commands. This also shows the watched subvols (orange only), the subvols with monitored files only (blue only) and watched subvols containing monitored files (Blue/Orange).

OSS Filesystem Tree

As with the Guardian screen, the OSS shows the orange/blue coding for the watched/monitored subdirectories. The monitored files have the blue flash and the tree has (almost) the same menu as the Guardian File system. In the OSS view a parent of a coloured folder will also have that colour – to allow you to drill down.

The second image shows the Watch Folders feature where you can add all files in a subdirectory and also automatically monitor any added files.

Found Values

ID captures a mismatched value and displays it in the GUI. User can see immediately the ‘should-be’ and actual values. ID checks all of an extended property (up to 24kb) and highlights the first mismatch found. For the example on the right, the differences between the axis2/ reference value and the axis3/ found value are displayed.

Safeguard

ID monitors all Safeguard objects. This includes all Access Control Lists (ACLs) for discs, files, processes, devices, etc. Also monitors Safeguard Groups, Object Types, SEEPs, and Globals.

The upper Safeguard image to the right shows a Disk ACL just after being Baselined.

The lower one shows how our ID user (20,1) is given permission to scan the Safeguard Config. We practise what we preach and avoid powerful users as owners of the Pathway.

Pathway

This example shows the Pathway panel, which is one of the subsystems that’s monitored. Others include Netbatch jobs, persistent processes and SSH objects.

By registering a Pathway, a Netbatch system, an SSH subsystem or the Kernel-managed processes, the user can direct Integrity Detective to take an image of the subsystem and store it into its database. This is known as the Reference image. The process of capturing a Reference image is called Baselining.

Netbatch

This screen grab shows updated info for a job, along with example of a mismatched Calendar file.

ZZKRN PERSISTENT PROCesseS

SCF Kernel Managed Processes (persistent processes) are also included in subsystem integrity checks.

By default, the Kernel-Managed Processes (KMPs), sometimes called persistent processes, are a set of processes created by the vendor which are crucial to the running of the Operating System; in fact, one could argue that the OS is partly implemented through these processes.

In addition, users can add processes as required to implement, for example, a security strategy or to provide some crucial, must-always-exist component of the application. The Safeguard manager is usually included here, for example.

COM Programs

For third party utilities and for HPE subsystems where there is no programmatic access, the ID COM Programs module allows the user to check an INFO screen.

By giving the name of a COM program - one that is normally run from the TACL command line - and supplying an appropriate command, ID can be configured to run the command regularly and to check specific parts of the output to ensure the text has not changed.

USER Notes

A nice feature for users is the ability to tag a note against each and every object ID monitors. With the correct procedural discipline, this allows a history to be built up over time showing what has happened to an object and what remedies were actioned. This can reference change documents or trouble tickets so that auditors can see that the 'alleged' (documented) processes actually took place.

Reports

Reporting is common to all segments of ID. Each top-level tab (apart from Welcome) has a Reporting tab below it that will show reports for that segment.

Some reports show the history of objects during a defined window and some show the status at the point in time that the report runs.

The output can go to: a spooler location, an EDIT file or back to the GUI that initiated it.

Each report can either be run immediately or can be scheduled to run at regular intervals. One report type can be scheduled to run at different intervals - eg both daily and weekly - depending on site requirements. In this case different output locations should be considered.

ALERTING TO SIEM (SYSLOG)

Integrity Detective is fully configurable to instantly send alerts to your enterprise SIEM (via syslog), EMS, or both.

CONTEXT SENSITIVE HELP

ID has both a comprehensive User Guide and context sensitive help which can be accessed by pressing F1 at any time to get help relating to the screen or panel being displayed.