This topic tells you how to install File Integrity Monitoring for VMware Tanzu (FIM) on BOSH Director.

When you install the FIM tile using Tanzu Operations Manager, FIM does not monitor the files on your BOSH Director. To apply FIM to the BOSH Director VM, you must do the below procedures.

Prerequisites

Before you install FIM, you must have:

• An Tanzu Operations Manager operator user account with admin rights. See Tanzu Operations Manager Operators.

• Tanzu Operations Manager. For compatible versions, see the Product Snapshot.

• A web server accessible from Tanzu Operations Manager to serve the FIM binary.

Install FIM

To install FIM on your BOSH Director:

1. Download the FIM tile from VMware Tanzu Network.

2. Unzip the FIM tile by running:

   unzip p-fim-X.X.X.pivotal -d PATH-TO-UNZIP
   

   For example:

   $ unzip p-fim-2.0.0.pivotal -d /tmp
   

3. Find and record the SHA checksum for the binary file by running:

   shasum PATH-TO-UNZIP/releases/fim-X.X.X.pivotal
   

   For example:

   $ shasum /tmp/releases/fim-2.0.0.pivotal
   5edf5fd2f9bf8e876b6bdc871e53b5db97593b21 fim-2.0.0.pivotal
   

4. Copy the binary file to your web server.

5. Add FIM to BOSH Director by running:

   om  \
   -t OPS-MANAGER-URL \
   -u OPS-MANAGER-USERNAME \
   -p OPS-MANAGER-PASSWORD \
   curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group" \
   -x POST \
   -H "Content-Type: application/json" \
   -d '{
           "add_job_to_instance_group": {
             "instance_group": "bosh",
             "job_name": "fim",
             "release_name": "fim",
             "release_url": "FIM-BINARY-URL",
             "release_sha1": "FIM-SHA1",
             "job_properties": {"fim": {}}
           }
       }'
   

   Where:

   • FIM-BINARY-URL is the URL to the binary file on your web server.
   • FIM-SHA1 is the SHA checksum for the binary file you recorded in the above step.

   The output of the above command looks similar to the following:

   Status: 201 Created
   Cache-Control: no-cache, no-store
   Connection: keep-alive
   Content-Type: application/json; charset=utf-8
   Date: Mon, 04 Nov 2019 17:09:08 GMT
   Expires: Fri, 01 Jan 1990 00:00:00 GMT
   Pragma: no-cache
   Referrer-Policy: strict-origin-when-cross-origin
   Server: Ops Manager
   Strict-Transport-Security: max-age=31536000; includeSubDomains
   X-Content-Type-Options: nosniff
   X-Download-Options: noopen
   X-Frame-Options: SAMEORIGIN
   X-Permitted-Cross-Domain-Policies: none
   X-Request-Id: 7d961c91-b7d6-428c-a68d-c36c9059f7f9
   X-Runtime: 0.220906
   X-Xss-Protection: 1; mode=block
   {
     "add_job_to_instance_group": {
       "instance_group": "bosh",
       "job_name": "fim",
       "release_name": "fim",
       "release_url": "http://localhost:4567/fim-1.5.0.tgz",
       "release_sha1": "15c52a9e56ca8e796dd61b55a48d962e2f4e763b",
       "job_properties": {
         "fim": {}
       },
       "guid": "op-653b1111a60a",
       "product_guid": "p-bosh-eb686414b9fa37183507"
     }
   }
   

6. Record the value of guid in the above output. If you want to delete FIM from BOSH Director, you need this value.

7. Navigate to the Installation Dashboard in Tanzu Operations Manager.

8. Click Review Pending Changes.

9. Select BOSH Director. Do not select any other check box.

10. Click Apply Changes.

Verify FIM Installation

To verify that FIM is running on your BOSH Director:

1. SSH into the BOSH Director VM. For instructions, see SSH Into the BOSH Director VM.

2. View the status of processes running on BOSH Director by running:

   sudo monit summary
   

   For example:

   bosh/0:~$ sudo monit summary
   The Monit daemon 5.2.5 uptime: 4m
   Process 'system-metrics-server'     running
   Process 'nats'                      running
   Process 'postgres'                  running
   Process 'director'                  running
   Process 'worker_1'                  running
   Process 'worker_2'                  running
   Process 'worker_3'                  running
   Process 'director_scheduler'        running
   Process 'director_sync_dns'         running
   Process 'director_nginx'            running
   Process 'health_monitor'            running
   Process 'uaa'                       running
   Process 'credhub'                   running
   Process 'blobstore_nginx'           running
   Process 'fim'                       running
   System 'system_localhost'           running
   

3. Confirm that fim is present in the above output.

Uninstall FIM

To uninstall FIM from your BOSH Director:

1. Uninstall FIM by running:

   om  \
   -t OPS-MANAGER-URL \
   -u OPS-MANAGER-USERNAME \
   -p OPS-MANAGER-PASSWORD \
   curl -p "/api/v0/staged/director/manifest_operations/add_job_to_instance_group/FIM-GUID" \
   -x DELETE \
   

   Where FIM-GUID is the value of guid that you recorded in Install FIM above.