Configuring Linux Agent

Linux Agents can be configured and managed from the FortiSIEM Supervisor node.

Before proceeding, install the Linux Agent following the instructions in the Linux Agent Installation Guide.

To receive logs from the Linux Agent, you must complete the following steps

  1. Define the Linux Agent Monitoring Templates.
  2. Associate Linux Agents to Templates.

Once these steps are completed, the Supervisor node will distribute monitoring policies to the Linux Agents and you will be able to see events in FortiSIEM.

Note: FortiSIEM Linux Agent will not perform file integrity monitoring on the /root directory.

This section also covers these topics.

Define the Linux Agent Monitor Templates

Complete these steps to add a Linux Agent Monitor Template:

  1. Go to ADMIN > Setup > Linux Agent tab.
  2. Click New under the section Linux Agent Monitor Templates.
  3. In the Linux Agent Monitor Template dialog box, enter the information below.

    4. Generic tab:

    Configure the Generic settings with reference to the table below:

    Generic Settings Guidelines
    Name [Required] Enter the name of the FortiSIEM Linux Agent. This name is used as a reference in Template associations.
    Description [Required] Enter the description about the FortiSIEM Linux Agent.

     

    Syslog tab:

    Configure the Syslog settings with reference to the table below:

    Syslog Settings Guidelines
    Syslog

    Select the Facility with the corresponding Syslog levels:

    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Info
    • Debug

     

    Log File tab:

    Configure the Log File settings with reference to the table below:

    Log File Settings Guidelines
    Log Files

    Click New to add the custom log files to monitor:

    • File—(Required) Enter the full file name.
    • Log Prefix—(Required) Any prefix to the identify events from this file for better accessibility.

     

    FIM tab:

    Configure the FIM settings with reference to the table below:

    FIM Settings Guidelines
    FIM

    Click New to add the files to monitor:

    • Include File/Directory—Enter the file or directory to monitor.
    • Exclude File/Directory—Enter the file or directory to exclude from monitoring using a semi-colon (;) as a separator.
    • Action—Select the actions to monitor when there is an event in the included file or directory:
      • All—All of the following actions will be monitored.
      • Open—One or more of the monitored files or directories has been opened.
      • Close—One or more of the monitored files or directories has been closed.
      • Create—A file or directory has been created in one or more of the monitored files or directories.
      • Modify—One or more of the monitored files or directories has been edited.
      • Delete—One or more of the monitored files or directories has been deleted.
      • Attribute Change—An attribute belonging to one or more of the monitored files or directories has been changed.
    • On Modify (appears only if All or Modify is selected):
      • Push Files—Select this if you want Linux Agent to push files to FortiSIEM whenever there is a change. The files are stored in SVN and are accessible from the Supervisor. These files are displayed in CMDB > Device > File. Send only important files, as this can fill up disk space.
      • Compare Baseline—Select this if you want to be alerted when the file changes from a baseline. This is common for configuration files that rarely change. If you choose this option, you will be asked to provide a copy of the baseline file. Click Choose File and upload the file from your workstation. The Supervisor will compute the MD5 checksum and distribute the checksum to the agents for comparison.
  4. Click Save

Associate Linux Agents to Templates

After defining the monitoring templates, associate the hosts to templates. To scale to large number of Hosts, this is done via Policies. A Policy is a mapping from Organization and Host to Templates and Collectors. Policies are evaluated in order (lower order or rank is higher priority) and the policy that matches first is selected. Therefore, define the exceptions first followed by broad policies. Hosts can be defined in terms of CMDB Device Groups or Business Services. Multiple templates can be used in one Policy and the system detects conflicts, if any.

Complete these steps to associate a Host to Template:

  1. Click New under the section Host To Template Associations.
  2. In the Host To Template Associations dialog box, enter the information below.

    SettingsGuidelines
    NameName of the Host to Template Association.
    OrganizationSelect the organization.
    HostUse the drop-down list to browse the folders and select the items.
    TemplateSelect one or more monitoring templates from the list or select All Templates to select all. You can also use the search bar to find a specific template.
    CollectorSelect the Collector from the list or select All Collectors to select all. Agents forward events to Collectors via HTTP(S). A Collector is chosen at random and if that Collector is not available or non-responsive, then another Collector in the list is chosen.
  3. Click Save and Apply.
    A Rank number is automatically assigned to the association.

You can use the Edit button to modify or Delete button to remove any template association.

Viewing Agent Status

Complete these steps to view the Agent status for any specific device:

  1. Go to CMDB > Devices and select the device.

    The following fields displays the information related to the Agent:
    • Agent Status: status of the Agent running on the device.
    • Agent Policy: agent policy.
    • Monitor Status: status of monitoring.

    The Agent Status indicates the following:

    StatusDescription
    RegisteredAgent has completed registration but has not received the monitoring template.
    Running ActiveAgent has received a monitoring template and it is performing properly.
    Running InactiveAgent is running but does not have a monitoring template – the reasons can be (a) no license or (b) incomplete definition - no Collector or Template is defined for that host.
    StoppedAgent is stopped on the Linux Server.
    DisconnectedSupervisor did not receive any status from the Agent for the last 10 minutes.

Enabling or Disabling an Agent

Complete these steps to enable or disable Linux Agent for a specific device:

  1. Go to CMDB > Devices and select the required device.
  2. Select the Action drop-down menu and click Enable Agent to enable or Disable Agent to disable Agent monitoring for the selected device.

Viewing Files in FortiSIEM

If the FortiSIEM Agent is running on a Server and a FIM policy is enabled with Push Files On Modify, then the FortiSIEM Agent will send the files to FortiSIEM when a change is detected. FortiSIEM stores the files in SVN on the Supervisor.

  1. Go to the CMDB page. Make sure that AGENT is one of the Methods.
  2. Search for the device in CMDB by name.

    Use the host name that you used to install the Linux Agent.

  3. Click File beneath the device table.

    You will see all of the files that were changed since the monitoring template was applied.

  4. Select a file.

    If you need to search for a file, set the From and To dates. The files which changed between those dates will be displayed.

  5. Click the file name on the left and its contents will be displayed in the right hand window.

    Each file has a header containing file meta data followed by the actual file content.

    • OWNER: The name of the file owner
    • GROUP: User group for specifying file permissions.
    • PERMISSION=USER: “OWNER”, PERMIT: "...": The file owner’s permissions.
    • PERMISSION=GROUP: “MEMBER”, PERMIT: "...":: The group member’s file permissions.
    • PERMISSION=GROUP: “OTHER”, PERMIT: "...":: Other group file permissions.
    • FILEPATH: The full file name, including the path.
    • HASHCODE: The file hash.
    • HASHALGO: The algorithm used to compute file hash.
    • MODIFIED_TIME: The time when the file was last modified.
  6. To see the differences between two files, select two files on left and click Diff.

File Integrity Monitoring Logs

The following sections describe various use cases that can be detected by File Integrity Monitoring Logs.

Use Case 1: File Created

Event Type

FSM_LINUX_FILE_CREATE

Important Event Attributes

  • targetOsObjType: The type of object that was created: File or Directory.
  • targetOsObjName: The name of the file or directory.
  • user: The name of the user who made the change.
  • hashCode: The hash code of the file.
  • hashAlgo: The algorithm used to create the file.

Reports

Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity

Rules

Agent FIM - Linux File or Directory Created

Sample Log 

Fri Mar 27 09:39:25 2020 centos7: [FSM_LINUX_FILE_CREATE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CREATE,[targetObjType]=File,[targetObjName]="/mlm/a.log",[hashCode]="d41d8cd98f00b204e9800998ecf8427e",[hashAlgo]="MD5",[user]=root

 

Use Case 2: File Deleted

Event Type

FSM_LINUX_FILE_DELETE

Important Event Attributes

  • targetOsObjType: The type of object that was created: File or Directory.
  • targetOsObjName: The name of the file or directory.
  • user: The name of the user who made the change.

Reports

Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity

Rules

Agent FIM - Linux File or Directory Deleted

Sample Log 

Fri Mar 27 09:43:11 2020 centos7: [FSM_LINUX_FILE_DELETE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=DELETE,[targetObjType]=File,[targetObjName]="/mlm/k.log",[user]=root

 

Use Case 3: File Attributes Changed

Event Type

FSM_LINUX_FILE_ATTRIB_CHANGE

Important Event Attributes

  • targetOsObjType: The type of object: File or Directory.
  • targetOsObjName: The name of the file or directory.
  • user: The name of the user who made the change.
  • fileOwner: The name of the owner of the file or directory.
  • userGrp: The name of the user group for the file or directory.
  • userPerm: The permission granted to the owner.
  • groupPerm: The permission granted to the user group.
  • otherPerm: Other permissions.

Reports

Agent FIM: Linux File/Directory Ownership or Permission Changes

Rules

  • Agent FIM - Linux Directory Ownership or Permission changed
  • Agent FIM - Linux File Ownership or Permission Changed

Sample Log 

Fri Mar 27 09:45:27 2020 centos7: [FSM_LINUX_FILE_ATTRIB_CHANGE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=ATTRIBUTE_CHANGE,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[fileOwner]="root",[groupName]="mlm",[userPerm]="READ,WRITE,EXEC",[groupPerm]="READ,EXEC",[otherPerm]="READ,EXEC",[user]=root

 

Use Case 4: File Modified

Event Type

FSM_LINUX_FILE_MODIFY

Important Event Attributes

  • targetOsObjName: The name of the file.
  • user: The name of the user who made the change.
  • hashCode: The hash code of the file.
  • hashAlgo: The algorithm used to create the file.

Reports

Agent FIM: Linux File Content Modified

Rules

Agent FIM - Linux File Content Modified

Sample Log 

Fri Mar 27 09:47:06 2020 centos7: [FSM_LINUX_FILE_MODIFY]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MODIFY,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[hashCode]=5d71f074cf9a75e0324f210160d4b9cb,[hashAlgo]=md5,[user]=root

 

Use Case 5: File Modified and Upload is Selected

Event Type

PH_DEV_MON_FILE_CONTENT_CHANGE

Important Event Attributes

  • userId: The ID of the user who modified the file.
  • domain: The user’s domain for a Domain computer.
  • fileName: The name of the file that was modified.
  • procName: The Windows process that was used to modify the file.
  • hashCode, hashAlgo: The file hash after modification and the algorithm used to calculate the hash.
  • oldSVNVersion: The SVN revision number of the file before change.
  • newSVNVersion: The SVN revision number of the file after change.
  • addedItem: The lines that were added to the file.
  • deletedItem: The lines that were removed from the file.

Reports

Agent FIM: Linux File Content Modified in SVN

Rules

Audited file or directory content modified in SVN

Sample Log 

<14>Mar 27 09:51:30 sp3 phPerfMonitor[6340]: [PH_DEV_MON_FILE_CONTENT_CHANGE]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=306,[phCustId]=2000,[hostName]=centos7,[hostIpAddr]=10.30.3.39,[fileName]=/mlm/mlm.txt,[hashCode]=ac399331afa9d1f13618c9eff36ed51c,[oldSVNVersion]=53,[newSVNVersion]=54,[deletedItem]=(none),[addedItem]=retest;,[user]=root,[hashAlgo]=MD5,[phLogDetail]=

 

Use Case 6: File Baseline Changed

Event Type

FSM_LINUX_FILE_CHANGE_BASELINE

Important Event Attributes

  • targetOsObjName: The name of the baseline file.
  • user: The name of the user who made the change.
  • hashCode: The hash code of the file after modification.
  • hashAlgo: The algorithm used to create the file hash.
  • targetHashCode: The hash code of the baseline file.

Reports

Agent FIM: Linux File Change from Baseline

Rules

Agent FIM - Linux File Changed From Baseline

Sample Log 

Fri Mar 27 09:51:23 2020 centos7: [FSM_LINUX_FILE_CHANGE_BASELINE]: [fileName]=/mlm/mlm.txt,[targetHashCode]="aa63e826654915e0e2e1da385e6d14f8",[hashCode]="ac399331afa9d1f13618c9eff36ed51c",[hashAlgo]="MD5",[user]=root

 

Use Case 7: File Renamed

Event Types

  • FSM_LINUX_FILE_MOVED_TO
  • FSM_LINUX_FILE_MOVED_FROM

Important Event Attributes

  • targetOsObjType: The file type: File or Directory.
  • targetOsObjName: The file or directory name.
  • user: The name of the user who renamed the file.

Reports

Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity

Rules

None

Sample Logs 

Fri Mar 27 09:57:42 2020 centos7: [FSM_LINUX_FILE_MOVED_FROM]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MOVED_FROM,[targetObjType]=File,[targetObjName]="/mlm/bb.log",[user]=root

 

Fri Mar 27 09:57:42 2020 centos7: [FSM_LINUX_FILE_MOVED_TO]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MOVED_TO,[targetObjType]=File,[targetObjName]="/mlm/cc.log",[user]=root

 

Use Case 8: File Accessed

Event Type

FSM_LINUX_FILE_ACCESS

Important Event Attributes

  • targetOsObjType: The file type: File or Directory.
  • targetOsObjName: The file or directory name.
  • user: The name of the user who accessed the file.

Reports

None

Rules

None

Sample Log 

Fri Mar 27 10:05:28 2020 centos7: [FSM_LINUX_FILE_ACCESS]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=ACCESS,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[user]=root

 

Use Case 9: File Opened

Event Type

FSM_LINUX_FILE_OPEN

Important Event Attributes

  • targetOsObjType: The file type: File or Directory.
  • targetOsObjName: The file or directory name.
  • user: The name of the user who opened the file.

Reports

None

Rules

None

Sample Log 

Fri Mar 27 09:57:40 2020 centos7: [FSM_LINUX_FILE_OPEN]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=OPEN,[targetObjType]=Directory,[targetObjName]="/mlm",[user]=root

 

Use Case 10: File Closed

Event Types

  • FSM_LINUX_FILE_CLOSE_WRITE
  • FSM_LINUX_FILE_CLOSE_NOWRITE

Important Event Attributes

  • targetOsObjType: The file type: File or Directory.
  • targetOsObjName: The file or directory name.
  • user: The name of the user who closed the file.

Reports

None

Rules

None

Sample Logs 

Fri Mar 27 09:57:36 2020 centos7: [FSM_LINUX_FILE_CLOSE_WRITE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CLOSE_WRITE,[targetObjType]=File,[targetObjName]="/mlm/bb.log",[user]=root

 

Fri Mar 27 10:05:28 2020 centos7: [FSM_LINUX_FILE_CLOSE_NOWRITE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CLOSE_NOWRITE,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[user]=root

Agent Troubleshooting Notes

A Linux Agent can be in following states (shown in CMDB):

  • Registered
  • Running Inactive
  • Running Active
  • Disabled
  • Disconnected

When an Agent is installed and registered, then it is in Registered state. The following audit event is generated: PH_AUDIT_AGENT_INSTALLED.

When a monitoring template is assigned to the device, then the state moves to Running Inactive. When the agent receives the template and starts monitoring, then the state moves to Running Active. In both cases, the following audit event is generated: PH_AUDIT_AGENT_RUNNING.

Agent periodically sends heartbeat messages. When a heartbeat not received for 10 minutes, the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING is generated. Status is checked every 1 hour. At that time, if we heard from the Agent in the last 15 minutes, the state moves back to Running Inactive and a PH_AUDIT_AGENT_RUNNING audit event is generated.

If the Agent is disabled from the GUI, the state moves to Disabled and PH_AUDIT_AGENT_DISABLED audit event is generated.

If the Agent is uninstalled or the service is stopped, then the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING is generated.

Audit events are generated at state transitions, however, the event PH_AUDIT_AGENT_NOTRESPONDING is generated every hour to identify all agents that are currently disconnected. A nested query can be run to detect Agents that did not report in the last N hours. Note that PH_AUDIT events must be queried with System Event Category = 2. Rules do not need this condition.