This documentation describes setting up and using File Integrity Monitoring for VMware Tanzu (FIM).
File Integrity Monitoring for VMware Tanzu provides logs of file and directory modifications in monitored paths. Operators and auditors use these logs to satisfy security requirements for file integrity monitoring for Ops Manager-managed BOSH VMs.
You can use FIM to help achieve compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).
File Integrity Monitoring enables you to:
The following table provides version and version-support information about FIM.
|Release date||November 23, 2022|
|Compatible Pivotal Operations Manager versions||2.10, 2.9, 2.8 and 2.7|
|Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions||2.13, 2.12, 2.11, 2.10, 2.9, 2.8 and 2.7|
|Compatible VMware Tanzu Application Service for VMs [Windows] (TAS for VMs [Windows]) versions||2.13, 2.12, 2.11, 2.10, 2.9, 2.8 and 2.7|
|Compatible BOSH stemcells||Ubuntu Xenial, Jammy, and Windows 2016, 1803, 2019|
|IaaS support||vSphere, GCP, AWS, Azure, and OpenStack|
File Integrity Monitoring has the following limitations:
The BOSH Context Adaptor for File Integrity Monitoring (BCAF) is a feature that reduces the number of logs that an operator needs to review. It notifies the Event Logger about BOSH events and lowers the severity of those events. This allows operators to focus on high severity events.
BCAF does this by observing BOSH Agent log entries, which are located at
/var/vcap/bosh/log/current. When the BOSH Agent receives an event from the BOSH Director, the Agent begins to generate logs corresponding to the events. BCAF analyzes the start and end of the events, and lowers the severity of any BOSH-related paths in the Event Logger. These events are then output into
This diagram illustrates how the BOSH Context Adaptor analyzes BOSH events:
In the example shown in the diagram above, the BOSH Director starts an event and sends it to the BOSH Agent. The BOSH Agent sends the
touch events to
fsnotify and begins to log the events in the BOSH Agent log.
TimeStamp 1: BOSH event started
TimeStamp N: BOSH event finished
The Context Adaptor analyzes the events taking place in the BOSH Agent log. It observes that the directory
/var/vcap/foo and file
bar.txt are related during the
mkdir event. It then notifies the Event Logger that these are BOSH events and changes the severity level to
The log output from the Event Logger reflects this change:
/var/vcap/foo is created [it is related to a normal BOSH event && severity is LOW]
bar.txt is created [it is related to a normal BOSH event && severity is LOW]
For an example log entry, see Example of Log Message Identified by BCAF.
Note: A user or Ops Manager can start BOSH events. For example, if a user initiates a BOSH deploy, this can create files and make directories.
Also, BCAF detects the initial action of doing an SSH through BOSH, but does not detect any commands run afterwards within the SSH session. If a user performs an SSH onto a VM and creates files or directories, that is not a “BOSH triggered event” and BCAF does not detect it.