This documentation describes setting up and using File Integrity Monitoring for VMware Tanzu (FIM).
Overview
File Integrity Monitoring for VMware Tanzu provides logs of file and directory modifications in monitored paths. Operators and auditors use these logs to satisfy security requirements for file integrity monitoring for Tanzu Operations Manager-managed BOSH VMs.
You can use FIM to help achieve compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
Key Features
File Integrity Monitoring enables you to:
- Monitor Tanzu Operations Manager-managed BOSH VMs and containers
- Specify path patterns to exclude
- Group path patterns under low severity
- Format log output
- Provide digest calculations of files
Product Snapshot
The following table provides version and version-support information about FIM.
| Element | Details |
|---|---|
| Version | 2.1.43 |
| Release date | August 29, 2024 |
| Compatible VMware Tanzu Operations Manager versions | 3.0, 2.10, 2.9, 2.8, and 2.7 |
| Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions | 6.0, 5.0, 4.0, 3.0, 2.13, 2.12, 2.11, 2.10, 2.9, 2.8, and 2.7 |
| Compatible VMware Tanzu Application Service for VMs [Windows] (TAS for VMs [Windows]) versions | 3.0, 2.13, 2.12, 2.11, 2.10, 2.9, 2.8, and 2.7 |
| Compatible BOSH stemcells | Ubuntu Xenial, Jammy, and Windows 2016, 1803, 2019 |
| IaaS support | vSphere, GCP, AWS, Azure, and OpenStack |
Limitations
File Integrity Monitoring has the following limitations:
- If you are upgrading from FIM v1.4, you must manually uninstall the runtime configs.
File Integrity Monitoring Architecture
BOSH Context Adaptor for File Integrity Monitoring (BCAF)
The BOSH Context Adaptor for File Integrity Monitoring (BCAF) is a feature that reduces the number of logs that an operator needs to review. It notifies the Event Logger about BOSH events and lowers the severity of those events. This allows operators to focus on high severity events.
BCAF does this by observing BOSH Agent log entries, which are located at /var/vcap/bosh/log/current. When the BOSH Agent receives an event from the BOSH Director, the Agent begins to generate logs corresponding to the events. BCAF analyzes the start and end of the events, and lowers the severity of any BOSH-related paths in the Event Logger. These events are then output into /var/vcap/sys/log/fim/fim.stdout.log.
This diagram illustrates how the BOSH Context Adaptor analyzes BOSH events:
View a larger version of this image
In the example shown in the diagram above, the BOSH Director starts an event and sends it to the BOSH Agent. The BOSH Agent sends the mkdir and touch events to fsnotify and begins to log the events in the BOSH Agent log.
For example:
TimeStamp 1: BOSH event started
...
TimeStamp N: BOSH event finished
The Context Adaptor analyzes the events taking place in the BOSH Agent log. It observes that the directory /var/vcap/foo and file bar.txt are related during the mkdir event. It then notifies the Event Logger that these are BOSH events and changes the severity level to 3.
The log output from the Event Logger reflects this change:
...
/var/vcap/foo is created [it is related to a normal BOSH event && severity is LOW]
...
bar.txt is created [it is related to a normal BOSH event && severity is LOW]
...
For an example log entry, see Example of Log Message Identified by BCAF.
Note A user or Tanzu Operations Manager can start BOSH events. For example, if a user initiates a BOSH deploy, this can create files and make directories.
Also, BCAF detects the initial action of doing an SSH through BOSH, but does not detect any commands run afterwards within the SSH session. If a user performs an SSH onto a VM and creates files or directories, that is not a "BOSH triggered event" and BCAF does not detect it.
