Best Practice in healthcare enviroment

[mc...@students.ptcollege.edu]

Hello!,

My name is Mike and I am working on a project for school. I was wondering what some individuals are doing for File integrity monitoring as best practice? I have been around some resources,but they are all offering the service and have left very little to useful application?

I'm open to just reference sites, or input!

Thanks,

Mike 

[alberto....@wazuh.com]

Hello Mike, sorry for the late response. 

  File integrity monitoring is one of the most important features in a security software nowadays. Wazuh provides some capabilities useful in order to cover this need:

Syscheck

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html

https://www.youtube.com/watch?v=BgYra9rNrD0

In this link, you'll find all information about how to configure Syscheck in Linux and Windows. This component monitor files (previously defined in ossec.conf). You'll be able to know when a file change (modified, added or deleted) in real-time if you want, or every X minutes. You can monitor folders and syscheck has the capability of shows the new - old content of a file. 

Audit

https://documentation.wazuh.com/current/user-manual/capabilities/system-calls-monitoring/audit-configuration.html

Using audit as a complement to syscheck, you'll be able to monitor system calls. So, once defined the system calls (read, write accesses, e.g) you want to monitor, Wazuh will collect this information and an alert will be created if matches your criteria. You'll be able to know the uid of the user who makes a change even if this user made "sudo su" before. 

Audit - Windows

The Windows audit configuration can be used as a complement to syscheck too. There are several tutorials on the Internet about how to configure Windows audit files, e.g: https://docs.secureauth.com/display/docs/Windows+Auditing+-+File+and+Folder+Auditing

Then, the event 4663 (e.g) will be sent by Wazuh Agent to the manager and could be configurated as an alert. 

All these tools give you what, where, who, when information about FIM (Syscheck + Audit in Linux, Syscheck + Windows audit in Windows). You'll need to define what are the critical files in your system and then, decide the frequency to be monitored, if you want to see differences or not in the report, etc. I recommend you see this because to monitor something in real-time could have an impact on your server performance. We designed Wazuh in order to have minimal impact. In fact, some internal options can be modified (https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#syscheck). The options sleep and sleep_after can be tuned in order to have quicker Syschecks reports. Then, Wazuh consumption is increased. 

I hope to help with this information. Please, don't hesitate to ask further information, we will be glad to assist you. 

Best regards, 

Alberto R.