How to use the core file monitoring feature to monitor access to core files on servers in real time - Security Center

The core file monitoring feature monitors access to core files on servers in real time. The feature can monitor file operations such as access, modify, delete, and rename operations in real time and generate alerts on suspicious operations. You can use the feature to check whether your core files are stolen or tampered with. This topic describes how to use the core file monitoring feature to monitor access to core files on servers.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
The feature supports only Linux servers on which the Security Center agent is online. The icon indicates that the agent is online. The servers must run a kernel Linux version that is supported by the AliWebGuard file. For more information, see Supported operating systems and kernel versions of the AliWebGuard file.

Step 1: Create a rule

Rule validation logic

Before the core file monitoring feature works, you must create rules to specify the monitoring scope of server files. We recommend that you understand the rule validation logic before you create a rule.

During the monitoring of access to files on a server, Security Center generates an alert or allows a request only if the request matches all the following items in the rule that you specify:
- Process path
- File path
- File operation
Security Center preferentially matches requests against the rules in which the Handling Method parameter is set to Release. This type of rule is referred to as an allow rule. If a request does not match an allow rule, Security Center matches the request against the rules in which the Handling Method parameter is set to Alert. This type of rule is referred to as an alert rule.

Configuration suggestions and examples

We recommend that you configure monitoring rules for core system files and important configuration files.

Before you create a rule, you must determine the files to monitor and the scope of processes that are allowed to access the files.

For core business files, you must configure an alert rule for all processes and multiple allow rules for allowed processes. This helps ensure that all access operations on the files are monitored and unnecessary alerts are not generated.

Important

If you do not configure an alert rule for all processes, you cannot monitor the access operations performed by processes that are beyond the scope of the specified process path. All out-of-scope processes can bypass the monitoring of Security Center.
When you configure an allow rule, we recommend that you do not use a wildcard character to specify a process path. If you use a wildcard character to specify a process path, attackers can exploit the allow rule to access your server files after bypassing the monitoring of Security Center.

For example, the path of the core files that you want to monitor is /etc/sysctl.conf, and the allowed process is systemd. To monitor the file path /etc/sysctl.conf, you must configure two rules.

Rule 1: Set the Handling Method parameter to Alert, set the Process Path parameter to an asterisk (*), set the File Path parameter to /etc/sysctl.conf, and select all options for the File operation parameter. The asterisk (*) specifies all processes.
Rule 2: Set the Handling Method parameter to Release, set the Process Path parameter to /usr/lib/systemd/systemd, set the File Path parameter to /etc/sysctl.conf, and select all options for the File operation parameter.

If you want to monitor core files on multiple servers, you can specify the file paths on all servers in an alert rule and set the Process Path parameter to an asterisk (*). Then, configure multiple allow rules for different process paths that you want to allow on different servers.

Procedure

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Core File Monitoring.
If you use Security Center Advanced or a lower edition, click Buy Now to purchase Security Center Enterprise or Ultimate.
On the Core File Monitoring page, click the Monitoring Rule tab and click New rule.

In the New rule panel, configure the parameters and click OK.

Parameter	Description
Rule Name	Enter a name for the rule.
Handling Method	Select an action for Security Center to perform when the rule is hit. Valid values: Alert: Security Center generates an alert and records an event. Release: Security Center allows the request. Security Center does not generate an alert or record an event.
Alert Severity	This parameter is required only if you set the Handling Method parameter to Alert. Select the severity for the alert that is generated when the rule is hit.
Rule status	Specify whether to enable the rule after the rule is created. You can enable a maximum of 100 rules.
Process Path	Enter the path of the processes to monitor. You can use a wildcard character to specify a process path. For example, if you want to monitor the process path /usr/conf, you can enter /conf. You can also use an asterisk () to specify all processes. You can enter a process path that is 1 to 128 characters in length. You must separate multiple paths with line feeds. You can specify a maximum of 20 process paths in each rule.
File Path	Enter the path of the files to monitor. You can use a wildcard character to specify a file path. For example, if you want to monitor the file path /etc/nginx/nginx.conf, you can enter /etc/nginx/. You can also use / to specify all file paths. You can enter a file path that is 1 to 128 characters in length. You must separate multiple paths with line feeds. You can specify a maximum of 20 file paths in each rule.
File operation	Select the file operations that you want to monitor.
Rule Scope	Select the servers to which you want to apply the rule.

If you want to modify, delete, enable, or disable the rule after you create the rule, we recommend that you find the entry point in the Status or Actions column of the rule. The first time you enable a rule for a server, it requires up to 5 minutes for the rule to take effect. If you modify a rule, it requires up to 1 minute for the rule to take effect. After the rule takes effect, existing alerts and recorded events are not affected.

Step 2: View and handle alerts

On the Core File Monitoring page, click the Alert Event tab. Then, you can view the alerts that are generated by Security Center on file access.
Find the alert that you want to view and click Details in the Actions column to view the details of file access.
Note
- If a Python script is used to access a file, Security Center cannot obtain detailed CLI information.
- If a Shell built-in command is used to access a file, Security Center cannot obtain detailed CLI information. For example, if the command is echo "new content" >> /etc/nginx/nginx.conf, ["-bash"] is displayed as the collected CLI information on the alert details page. This is because the command is a Shell built-in command, which appends content to the nginx.conf file.
- Security Center collects CLI information after Shell parsing and displays the collected CLI information in JSON arrays on the alert details page. The command that is displayed may be different from the original user-specified command.
  - Example 1: A user-specified command is mkdir "1 2", which is equivalent to the mkdir 1\ 2 command. Both the commands create a directory named 1 2. After Shell parsing, the user-specified command becomes mkdir and 1 2, and the display result on the alert details page is ["mkdir", "1 2"].
  - Example 2: A user-specified command is rm -rf *. After Shell parsing, * is replaced by all files and subdirectories in the specified directory. In this example, Security Center collects and displays the following CLI information: rm, -rf, and the list of all files and subdirectories in the current directory.
Check whether an abnormal event is recorded based on the details of file access.
The follow-up solution varies based on your check results.
- If an abnormal event is recorded, we recommend that you manually block the related processes and quarantine the related files after you confirm that your business is affected.
- If the event records normal file access, you can add the alert to the whitelist to handle the alert.
- If the event is considered not affecting your files and you do not need to add the alert to the whitelist, you can ignore the alert.
After you examine and handle the alert, find the alert and click Handle in the Actions column. Then, select a handling method and click OK.
- Whitelist: After you add the alert to the whitelist, Security Center automatically generates a whitelist rule that allows the behavior detected by the alert. If you select this option, you must configure the Whitelist Rule Name, Process Path, File Path, File operation, and Rule Scope parameters. Then, click OK.
- Ignore: If you ignore the alert, the status of the alert changes to Ignored. If the same alert is detected later, Security Center generates a new alert.
- Handle manually: If you have handled the abnormal event, you can select this option.

FAQ

What are the differences between web tamper proofing and core file monitoring?

Web tamper proofing is a different feature that Security Center provides to protect files. Web tamper proofing and core file monitoring differ in the following items.

Item	Web tamper proofing	Core file monitoring
Scenario	You need to protect assets such as websites that are vulnerable to attacks and sensitive to file tampering.	You need to monitor access operations on core files to prevent content theft. You need to monitor the changes on important files to avoid file tampering. The changes include modify, delete, and rename operations.
Protection scope	The feature can protect most Linux and Windows servers.	The feature can protect most Linux servers.
Billing	The feature is a value-added service provided by Security Center. You must purchase the feature to use it.	The feature is available only in Security Center Enterprise and Ultimate.
Capability	The feature supports identification of abnormal file changes. The feature can also block the related processes or generate alerts.	The feature supports monitoring of abnormal access to files, including read, modify, and delete operations. The feature can also generate alerts.

For more information about web tamper proofing, see Use the feature of web tamper proofing.

If I enable both web tamper proofing and core file monitoring, which feature preferentially takes effect?

If web tamper proofing and core file monitoring are both enabled for a server, web tamper proofing preferentially takes effect. If Security Center cannot match a request against the rules of web tamper proofing, Security Center matches the request against the rules of core file monitoring. The process whitelist rules of web tamper proofing take effect only when the web tamper proofing feature works. The allow rules of core file monitoring take effect only when the core file monitoring feature works.