Dome9 provides automated managed FIM service based on the open source OSSEC project.
Here is a list of steps and validations that will assist with troubleshooting File Integrity Monitoring (FIM) issues:
- Makes sure your agent is connected to the Dome9 system by finding it in the Dome9 console - "Network Security" → "Protected Assets" and verifying that Dome9 Agent : Status is 'Accessible'
- Verify that under the Agent FIM part exist with "Start scan" button.
Note: If no FIM Section exist it means the FIM monitoring is not enabled on this Agent Security group.
- Verify what is the Status under FIM, there can be 4 options (Monitoring, Scanning, Initializing and Creating baseline)
Monitoring - monitoring is enabled correctly and full scans are performed according to the defined frequency.
Scanning - The OSSEC service is currently scanning this Instance files policy.
Initializing - The OSSEC service is initializing on this Instance.
Creating baseline - After the service is initialized it scans the system several times to create a baseline for comparison on the server.
- If the initializing step is taking too much time a warning alert should be visible on FIM section
- The OSSEC service uses UDP protocol on Port 1514, verify the port is not closed (The OSSEC server Destination: 188.8.131.52)
OSSEC Service (FIM)
The hosted OSSEC service is used to accept traffic from the OSSEC moduled in the Dome9 agent.
This service is only required for customers utilizing the FIM functionality.
Protocol: UDP, port 1514
Dome9 has a Magic IP called 'Dome9 Service' that contains all these IP addresses.
If you wish to restrict egress traffic from your servers, you can use this object to allow egress HTTPS traffic Dome9 servers (also enable UDP 1514 if OSSEC/FIM is enabled).
If on AWS VPC and restricting traffic via NACL, then due to the NACL stateless nature - make sure to allow the return path as well (the responses from Dome9 service).
In the FIM use case, either allow all UDP traffic from Dome9 OSSEC service IP address, *or* open all Ephemeral ports to inbound traffic (at the NACL level) and then restrict it further (to only allow traffic from Dome9 servers) using dedicated SG rules (and utilizing Dome9's Magic IP)
- Review the agent log files. There are 2 of them - one for the Dome9 agent and one for the OSSEC module:
For Linux Agents:
For Window Agents:
C:\Program Files (x86)\Dome9\ossec-agent\ossec.log
- Contact Dome9 support - using the 'Feedback & Support' link from the top right menu (in Dome9 console). Provide this information:
- Name of the agent / server
- OS type
- Any relevant information on the network environment
- Hosting provider
- The 2 log files specified above
Not relevant (missing guide) - Verify you have proper connectivity between the agent and the Dome9 cloud. Please pay special care to the last section (FIM). This is especially valid when working from networks with limited egress connectivity.