Managing FIM Policies using CRDs
This topic explains how to create, apply, and delete File Integrity Monitoring (FIM) policies using the FimPolicy 'Custom Resource Definition (CRD)' in Kubernetes. This CRD allows you to define and enforce security policies to monitor specific file operations in your Kubernetes cluster.
CRDs work with qualys-tc 2.1.0 (Unified Helm chart) and CRS version 1.0.1-0 onwards.
Prerequisites
- A running Kubernetes cluster
- Kubernetes CLI (kubectl) installed and configured to access your cluster
Custom Resource Definition (CRD) Overview
The FIM Policy CRD enables you to define the policies for monitoring file-based operations. You need to create a Yaml file with the following arguments.
- Base Policy (base-policy): Specifies the file operation that you would like to perform on the specified monitor paths.
Operations include:- file-open - CRS monitors events that occur when a file is opened.
- file-read - CRS monitors events that occur when a file is read.
- file-write - CRS monitors events that occur when a file is edited.
- file-write-diff - CRS monitors differences when a file is modified.
- file-rename - CRS monitors events that occur when a file is renamed.
- file-delete - CRS monitors events that occur when a file is deleted.
- Action (action): Specify the operation. As of today, CRS supports only one operation - 'audit'.
- Monitor Paths (monitor-paths): Specifies the file paths or directories to be monitored.
For example,/var/logOR/etc/nginx
Format of a FIM Policy
Typical formats of FIM and PCI FIM policies are shown below for your reference. Using these formats, you can create your own policies.
| FIM Policy Format | PCI FIM Policy Format |
|
|
| Filter | Description | |
|---|---|---|
| apiVersion | Indicates the CRD version your cluster recognizes for Qualys FIM resources. Valid value: qualys.com/v1 |
|
| kind | Describes the type of resource. Valid value: FimPolicy |
|
| metadata | Describes specifications of the policy. | |
| name | A unique name for this policy within the namespace. | |
| spec | Describes specifications of the policy. | |
| base-policy | Shows the name of the operation. | |
| action |
Shows action to perform when a policy event is matched. Valid values:
|
|
| monitor-paths | A list of files or directories to monitor. | |
| match-binaries | (Optional) Filter events based on a change caused by specific executables. |
Operations
This section explains various CRS operations that you can perform using FIM policies.
Creating and Applying a FIM Policy
Create a FimPolicy by using kubectl apply or kubectl create with a YAML manifest file. Once you create and apply the YAML file, CRS starts monitoring the targets (monitor-paths) specified in it.
Example 1: Identifying File Open Operations
To identify file open operations using a FIM policy,
1. Create a YAML file based on your requirement.
For example, you can create,
- A FIM policy with this name - fim-policy-file-open.yaml
- A PCI FIM policy with this name - pci-fim-file-open.yaml
| fim-policy-file-open.yaml | pci-fim-file-open.yaml |
|
apiVersion: qualys.com/v1 kind: FimPolicy metadata: name: monitor-fim-file-open spec: base-policy: "file-open" action: "audit" monitor-paths: - "/etc/shadow" - "/etc/hosts" - "/etc/audit/audit.rules" - "/etc/hosts.deny" - "/etc/passwd" - "/etc/audit/rules.d/audit.rules" - "/etc/pam.d/system-auth" - "/etc/ssh/sshd_config" - "/etc/audit/auditd.conf" - "/etc/hosts.allow" - "/etc/group" - "/etc/sudoers" |
2. Apply the File Open policy.
If you are using FIM Policy,
kubectl apply -f fim-policy-file-open.yaml
OR
If you are using PCI FIM Policy,
kubectl apply -f pci-fim-file-open.yaml
Example 2: Identifying File Read Operations
This operation can be performed and monitored only in the FIM environment, not in the PCI FIM environment.
To identify File read operations using a FIM policy,
1. Create a YAML file: fim-policy-file-read.yaml
| fim-policy-file-read.yaml |
|
2. Apply the File Read policy
kubectl apply -f fim-policy-file-read.yaml
Example 3: Identifying File Write Operations
To identify File Write operations using a FIM policy,
1. Create a YAML file based on your requirement, with the following name.
- For a FIM policy, create fim-policy-file-write.yaml
- For a PCI FIM policy, create pci-lightweight-fim-file-write.yaml
| fim-policy-file-write.yaml | pci-lightweight-fim-file-write.yaml |
|
apiVersion: qualys.com/v1 kind: FimPolicy metadata: name: monitor-lightweight-fim-file-write spec: base-policy: "file-write" action: "audit" monitor-paths: - "/etc/sudoers" - "/etc/ssh/sshd_config" |
2. Apply the File Write policy.
If you are using FIM Policy,
kubectl apply -f fim-policy-file-write.yaml
OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-write.yaml
Example 4: Identifying File Write Diff Operations
To identify File Write Difference operations using a FIM policy,
1. Create a YAML file based on your requirement, with the following name.
- For a FIM policy, create fim-policy-file-write-diff.yaml
- For a PCI FIM policy, create pci-lightweight-fim-file-write.yaml
| fim-policy-file-write-diff.yaml | pci-lightweight-fim-file-write-diff.yaml |
|
apiVersion: qualys.com/v1 kind: FimPolicy metadata: name: monitor-lightweight-fim-file-write-diff spec: base-policy: "file-write-diff" action: "audit" monitor-paths: - "/etc/sudoers" - "/etc/ssh/sshd_config" |
2. Apply the File Write Diff policy.
If you are using FIM Policy,
kubectl apply -f fim-policy-file-write-diff.yaml
OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-write-diff.yaml
Example 5: Identifying File Rename Operations
To identify File Rename operations using a FIM policy,
1. Create a YAML file based on your requirement, with the following name.
- For a FIM policy, create fim-policy-file-rename.yaml
- For a PCI FIM policy, create pci-lightweight-fim-file-rename.yaml
| fim-policy-file-rename.yaml | pci-lightweight-fim-file-rename.yaml |
|
apiVersion: qualys.com/v1 kind: FimPolicy metadata: name: monitor-lightweight-fim-file-rename spec: base-policy: "file-rename" action: "audit" monitor-paths: - "/etc/sudoers" - "/etc/ssh/sshd_config" |
2. Apply the File Rename policy.
If you are using FIM Policy,
kubectl apply -f fim-policy-file-rename.yaml
OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-rename.yaml
Example 6: Performing File Delete Operations
To identify File Delete operation using a FIM policy,
1. Create a YAML file based on your requirement, with the following name.
- For a FIM policy, create fim-policy-file-delete.yaml
- For a PCI FIM policy, create pci-fim-file-delete.yaml
| fim-policy-file-delete.yaml | pci-fim-file-delete.yaml |
|
|
2. Apply the File Delete policy.
If you are using FIM Policy,
kubectl apply -f fim-policy-file-delete.yaml
OR
If you are using PCI FIM Policy,
kubectl apply -f pci-fim-file-delete.yaml
Viewing FIM Policies
To list all FIM Policy resources, use:
kubectl get policies.qualys.com
To view details of a specific policy, run:
kubectl describe policies.qualys.com <policy-name>
Example
kubectl describe policies.qualys.com monitor-file-open
Deleting a FIM Policy
To delete a FIM Policy, use:
kubectl delete policies.qualys.com
Example
kubectl delete policies.qualys.com monitor-file-open
Alternatively, you can delete a policy using its YAML manifest:
kubectl delete -f fim-policy-file-open.yaml