Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Host Security Service/ Best Practices/ Using HSS to Monitor the Integrity of Linux Server Files

Using HSS to Monitor the Integrity of Linux Server Files

Updated on 2024-11-13 GMT+08:00

Scenario

File integrity means that the file content is not modified, deleted, or damaged without authorization during storage, transmission, and processing, ensuring the authenticity and reliability. Ensure file integrity in server security protection includes but is not limited to the following aspects:

  • Data tampering prevention: File integrity monitoring prevents attackers from maliciously tampering with or damaging data and prevents data damage caused by software faults or misoperations of internal personnel, ensuring data integrity and authenticity.
  • Improving server security: File integrity monitoring helps you quickly identify unauthorized file modification and take corresponding security measures, reducing potential security risks and improving server defense capabilities.
  • Meet compliance requirements: Many industry standards and regulations require enterprises and organizations to protect the integrity and security of sensitive data. By monitoring file integrity, you can avoid legal risks and fines for data security issues.

HSS provides the server security alarm and file integrity management functions. HSS can monitor files or directories on the server and generate alarms for suspicious file or directory modification. This section describes how to use HSS functions to monitor the integrity of Linux server files.

Differentiated File Protection in Server Security Alarm and File Integrity Management

Both the server security alarm function and file integrity management function of HSS provide file integrity monitoring capabilities. The two functions can provide comprehensive security protection for files. For details about the differences, see Table 1.

Table 1 Differentiated file protection in server security alarms and file integrity management

Type

Server Alarms

File Integrity Monitoring (FIM)

Monitoring type

Files and directories

File

Alarm type

  • File privilege escalation: An alarm is generated for file privilege escalation.
  • File/Directory change: Monitors system files/directories in real time, and generates alarms for operations such as creating, deleting, moving, modifying attributes, or modifying content.

Key file change: Monitors key system files (such as ls, ps, login, and top) in real time and generates alarms for file content modification operations.

File protection principle

Conduct analysis based on behavior characteristics and focus on suspicious behaviors or activities.

Focus on the integrity of the file and determine whether the current file status is different from the last time by comparing the file status.

Supported OS

  • File privilege escalation: Linux
  • File/Directory changes: Windows and Linux

Linux

Advantages

You can monitor not only files, but also directories, and monitor more types for changing files.

File change records are stored permanently, helping O&M personnel investigate the behavior of attackers.

Prerequisites

HSS Professional, Enterprise, Premium, Web Tamper Protection, or Container Edition has been enabled for the server. For details, see HSS Access Overview.

Procedure

  1. Configuration file protection policy.

    1. Log in to the management console.
    2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
    3. In the navigation pane, choose Security Operations > Policies.
      NOTE:

      If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

    4. Click the name of the policy group to access the policy detail list.

      HSS provides multiple preset policy groups. After protection is enabled for a server, the preset system group is bound by default. You can also click Copy in the Operation column of a policy group. For details, see Creating a Custom Policy Group.

    5. Select the File Protection policy and click Enable in the Operation column to enable file protection detection.

      The file protection policy is enabled by default. If you have disabled the policy, you need to enable it.

    6. Click the File Protection policy. The policy details page is displayed.
    7. Customize the monitoring file directory and monitoring operation type. For details about the parameters, see Table 2.

      Table 2 displays the default values of file protection policies. You can customize file protection policies based on the site requirements. To prevent a large number of false alarms caused by file integrity changes and increase the O&M workload, you are advised to configure file protection policies as follows:

      1. Small-scale trial: When configuring the file protection policy for the first time, you are advised to perform the trial on a few servers.
      2. Policy tuning: Pay attention to the accuracy and applicability of policies during the validity period, and further improve the configured policies based on the results to reduce false positives.
      3. Formal application: After multiple policies tuning, if the matching result becomes stable and the false positives almost do not exist, the policy can be applied to more servers.
      Figure 1 File protection policy
      Table 2 Parameter description

      Policy Module

      Parameter

      Default Parameter Value

      Description

      File Privilege Escalation

      Check

      Enabled

      Detects privilege escalation.

      • : enabled
      • : disabled

      Ignored File Paths

      • /usr/lib64/hal/hald-runner
      • /usr/sbin/hald
      • /opt/nfast/sbin/privconn
      • /usr/sbin/dhclient
      • /usr/sbin/tcpdump

      Enter the path of the file to be ignored.

      Start the path with a slash (/) and do not end it with a slash (/). Each path occupies a line. No spaces are allowed between path names.

      File Integrity

      Check

      Enabled

      Detects the integrity of key files.
      • : enabled
      • : disabled

      File Paths

      • /bin/ls
      • /usr/bin/ls
      • /bin/ps
      • /usr/bin/ps
      • /bin/bash
      • /usr/bin/bash
      • /bin/login
      • /usr/bin/login
      • /usr/bin/passwd
      • /usr/bin/top
      • /usr/bin/killall
      • /usr/bin/ssh
      • /usr/bin/wget
      • /usr/bin/curl

      Enter the path of the file.

      Start the path with a slash (/) and do not end it with a slash (/). Each path occupies a line. No spaces are allowed between path names.

      Important File Directory Change

      Check

      Enabled

      Detects the directory change of key files.
      • : enabled
      • : disabled

      Session IP Whitelist

      -

      If the file process belongs to the sessions of the whitelisted IP addresses, the process is not audited.

      Unmonitored File Types

      • swo
      • swp
      • swpx
      • lck

      Suffix of the file type that is ignored.

      Unmonitored File Paths

      • /etc/init.d/.depend.start
      • /etc/init.d/.depend.stop
      • /etc/init.d/.depend.halt
      • /etc/init.d/.depend.boot
      • /var/spool/cron/sed*

      Enter the path of the file to be ignored.

      Monitoring Login Keys

      Enable and select Monitor Creation, Monitor Deletion, Monitor Movement, and Monitor Modification.

      Whether to enable the monitoring of login keys.
      • : enabled
      • : disabled

      Directory Monitoring Mode

      There are many file directories to be monitored. The following describes only some monitoring paths. For details, go to the HSS management console.

      • /etc/rc.d/rc.local
      • /etc/cron.allow
      • /etc/crontab
      • /var/spool/cron/root
      • /var/spool/cron/root
      • /etc/cron.allow
      • /etc/passwd
      • /etc/profile.d/zzz_euleros_history.sh
      • /etc/profile

      The value of directory monitoring modes can be Conservative or Sensitive. Compared with the Conservative mode, the Sensitive mode monitors more file or directory paths by default.

      In the two modes, some file or directory monitoring paths are preset. You can add or delete them as required.

      • File or Directory Path: path of the file or directory to be monitored. Up to 50 paths can be added. Ensure the specified paths are valid.
      • Alias: alias of a file or directory path. You can enter a name that is easy to distinguish.
      • Monitor Subdirectory: If this option is selected, all files in the corresponding subdirectories are monitored. If it is not selected, subdirectories are not monitored.
      • Monitor Creation, Monitor Deletion, Monitor Movement, and Monitor Modification: Select them as needed.

  2. (Optional) Deploy a policy for the server.

    If you configure a file protection policy based on a newly created custom policy group in 1, you need to deploy the new policy group and apply it to the target server after creating and configuring the policy group. For details, see Deploying a Protection Policy.

  3. View and handle file change alarms.

    HSS monitors the files or directory paths configured in the file protection policy in real time and generates alarms once detecting abnormal changes. After receiving an alarm, handle the alarm in a timely manner.

    1. In the navigation pane on the left, choose Detection & Response > Alarms. The Server Alarms page is displayed.
    2. In the list of alarms to be handled, expand Abnormal System Behavior and focus on several types of alarms related to file changes, as shown in Figure 2.
      Figure 2 Alarms related to file changes
    3. Click an alarm of any type. In the alarm list on the right, click the alarm name to view the details.
      Figure 3 Viewing alarm details
    4. Handle the alarm based on the Forensics information in the alarm details.
      • Alarms caused by normal operations.

        In the lower right corner of the alarm details page, click Ignore to ignore the alarm.

      • Alarms caused by malicious files or programs.
        1. Check whether high-risk alarms, such as reverse shell, abnormal login, and malware, are generated on the server. If yes, the server may be attacked. Perform a security check on the server immediately.
        2. In the lower right corner of the alarm details page, click Mark as handled to clear the alarm.

  4. View the file change history.

    The file integrity management page keeps file change records on the server, helping you locate suspicious changes.
    1. In the navigation pane on the left, choose Server Protection > File Integrity Monitoring. The File Integrity Monitoring page is displayed.
    2. View the file changes on the ECS.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback