Create / Edit FIM Policy

In this topic:

    The following steps performed against an agent-based Dome9 Security Group will enable and establish or modify policy around file integrity monitoring:

    Create FIM Policy

    1. Navigate to Agent Security Groups page.
    2. Select a Dome9 agent-based security group, navigate to the File Integrity Monitoring tab, and select 'Enable FIM For This Group and Create a FIM Policy'
      worddavcf7c55803055d080027abc7df021442d.png
    3. Choose a FIM template of choice by clicking on 'SELECT' near 'Choose FIM Policy Template'
      worddav7806b5b612a2740a86f99d07a11cf96c.png
    4. The default policy is displayed as per your previous choice.
    5. To remove paths from the policy, simply click 'DELETE' against the path in question. The item is instantly removed.
    6. To add paths to your policy, select 'Include' and specify the path below. Click 'ADD ITEM';
      worddav5f171b9c3f37efeb78dc5627b5eff98c.png
    7. Similarly, to exclude paths, choose 'Exclude' and specify the path, and click 'ADD ITEM'.
    8. To exclude files from FIM on a wildcard extension basis rather than a path, enter extensions in the form of "*.xxx" under Excluded File Types;
      worddav2abb669a66ab7f80c48451225d28f2ce.png
      Note: Under Microsoft Windows, Dome9 FIM is also able to monitor the Windows registry for changes in addition to the filesystem. Registry items can be added to the same Include/Exclude interface of Windows FIM policies in the form of 'HKLM\software\classes\protocols', for example. The stock Windows FIM policy has examples relating to monitoring the Windows registry.

    9. Select a full-scan interval from the drop down at the top of the FIM options;
      worddavb250824dfef781f6059fd1e3273fed0c.png
    10. Click 'SAVE FIM POLICY' when finished to ensure your policy is saved and retained.

    Edit FIM Policy

    1. Navigate to Agent Security Groups page.
    2. Select a Dome9 agent-based security group, navigate to the File Integrity Monitoring tab,
    3. To remove paths from the policy, simply click 'DELETE' against the path in question. The item is instantly removed.
    4. To add paths to your policy, select 'Include' and specify the path below. Click 'ADD ITEM';
      worddav5f171b9c3f37efeb78dc5627b5eff98c_1_.png
    5. Similarly, to exclude paths, choose 'Exclude' and specify the path, and click 'ADD ITEM'.
    6. To exclude files from FIM on a wildcard extension basis rather than a path, enter extensions in the form of "*.xxx" under Excluded File Types;
      worddav2abb669a66ab7f80c48451225d28f2ce_1_.png

      • Note: Under Microsoft Windows, Dome9 FIM is also able to monitor the Windows registry for changes in addition to the filesystem. Registry items can be added to the same Include/Exclude interface of Windows FIM policies in the form of 'HKLM\software\classes\protocols', for example. The stock Windows FIM policy has examples relating to monitoring the Windows registry.
    7. To modify Scan interval - Select a full-scan interval from the drop down at the top of the FIM options;
      worddavb250824dfef781f6059fd1e3273fed0c_1_.png
    8. Click 'SAVE FIM POLICY' when finished to ensure your policy is saved and retained.

    Upon installation of a Dome9 agent and its attachment to a FIM-enabled policy group, an initial scan is performed and a baseline is created. The baseline holds the list of directories, files and their cryptographic checksum and serves as a reference for subsequent scans and real-time protection. Selected files and directories are then scanned on a periodic basis where the creation of new files is detected.

    Real-time notification is supported to detect deletion and modification. Changes detected during scheduled scans or upon real-time detection generate alerts that may be handled by different methods.

    An alert can simply be acknowledged or the relevant file can be selected to be ignored in subsequent scans by adding it as an exception to the security group FIM policy.

    To view FIM related alerts, navigate to the main Alerts page and select the "FIM Alerts" tab. For more information, please see the Audit Trail and Alerts section.
    worddav444c3151583b042caf6307952801244f.png