File activity monitoring functionality

FAM functionality on Windows and UNIX file servers is similar to data monitoring. Understand the similarities and differences.

FAM Support lists the supported platforms for FAM discovery, classification, and monitoring.

UNIX workflow — Figure 1. FAM functionality in UNIX file servers

Windows workflow — Figure 2. FAM functionality in Windows file servers

Discovery and classification

FAM discovery and classification (Windows file system, AIX file system, Red Hat, and Ubuntu) give entitlement and content classification details of given file server folders. Based on its results, you can create smart policies, define groups, and audit their files, focusing on the important assets (by using FAM monitoring).

The basic discovery scan identifies the list of folders and files, their owner, access permissions, size, and the date and time of the last update. It also identifies user permissions and group permissions. Discovery supports all file types. Classification is defined by decision plans. Each decision plan contains rules for recognizing a certain type of data. (Decision plans for File Activity Monitoring are analogous to classification policies for Data Activity Monitoring.) FAM classification for Linux® and Windows is based on IBM Content Classification. Classification supports many types of files, including: Plain text, HTML, Office, PDF, PST (Microsoft Outlook folder; Microsoft Outlook must be installed), and NSF (Lotus Notes®® database) format. Lotus Notes is not required but NSF is supported by running a script that is installed with IBM® Content Classification. For complete lists of supported text types, see What data types are supported and Oracle Text Supported Document Formats in Oracle documentation. Default decision plans exist for HIPAA, PCI, SOX, and Source Code. You can change the classification entities from the resulting reports or investigation dashboard, by using the default decision plans. In addition, you can create new plans, or modify existing plans, by using the Content Classifier workbench, a Windows application you upload to your collector appliance. See the requirements for IBM Content Classification Version 8.8, in the http://www-01.ibm.com/support/docview.wss?uid=swg27020838 IBM technote. Plans are activated and configured through the Guardium® Installation Manager (GIM).

Discovery and classification are handled by a discovery agent, called the file crawler. The file crawler sends the file metadata, and data from its discovery and classification processes, to the Guardium system. The scan schedule is configurable. Subsequent (incremental) scans, after initial discovery and classification, identify incremental changes of new and changed files only. Install and configure the file crawler with the Guardium Installation Manager (GIM) just as you would any other bundle.

Monitor, Audit, and Block

FAM monitors, alerts, and blocks file access according to the Guardium policy rules. The rules specify which file servers and files to monitor and what actions to take if policy rules are violated, for example, log the violation, alert, or block access. Monitored Operations are Read, Write, Execute, Delete, Change Owner, Permissions, Properties. Any activity that matches the security policy rules criteria is sent to the Guardium collector where it is stored in the Guardium repository. (FAM is different from database activity monitoring, where the S-TAP® sends all data activity to Guardium for monitoring.) All events that are recorded in the Guardium repository are audited events.

In UNIX servers, file activity monitoring is implemented by the S-TAP, running on the file server. For NFS volumes, it is important that an S-TAP installed and configured on all servers that access those volumes. One S-TAP agent can manage both file server and database activity monitoring. If you have licenses for both capabilities, you can use the same S-TAP agent for both file and database activity monitoring. Install and configure S-TAP with the Guardium Installation Manager (GIM) just as you would any other bundle.

In Windows servers, file activity monitoring is implemented by the FamMonitor bundle. It is installed independently from S-TAP.

UID chain for FAM: FAM identifies the process and the user that performed the access (and not external programs). For instance if Process 1 (

user
janedoe

) creates Process 2 (user johndoe), then for file events that are related to process 2, FAM reports the UID chain of {janedoe, johndoe}. For example,

(1,root,systemd)>(10077,root,sshd)>(50136,root,sshd)>(50169,donald,sshd)>(50170,donald,bash)->(50217,donald,ls)

UID chain is always enabled in Windows databases. For Linux-Unix, enable the UID chain with the hunter_trace parameter. For more information, see Linux-Unix: General Parameters.)

Monitoring activities are presented in the following predefined reports: Users privileges, File privileges, Count of activity per user, Count of activity per client, Files open to “public”, Dormant users, Dormant Files, and others. In addition, monitoring activities are also shown in the FAM – Access report (log of all monitored activity), and in the Investigation Dashboard.

Access to files can also be blocked, even if the operating system permissions allow access. The rules are preinstalled into the S-TAP, which then loads them into the file system filter driver. The driver blocks access to the file so that the data in the file is never delivered to the user.

Important: Windows Administrator and Linux ROOT user activities are not monitored or blocked by File Activity Monitoring.