Configure Integrity Monitoring
Configure the Integrity Monitoring module to define its behavior for a policy.When designing the modules behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.
Policy objects contain two objects that you use to configure the Integrity Monitoring module:
IntegrityMonitoringPolicyExtension
: Controls the module state (real-time, on, or off) and identifies the Integrity Monitoring rules that are assigned to the module.PolicySettings
: Policy settings include many Integrity Monitoring-related settings that control the runtime behavior of the module, such as the application of recommendation scans, whether real-time scan is enabled, performance-related settings, and the Syslog configuration to use. (See Configure policy and default policy settings.)
After you create these objects and add them to a Policy
object, you use the PoliciesApi
class to modify an existing policy based on the Policy
object.
The following JSON represents the data structure of an IntegrityMonitoringPolicyExtension
object:
{ "state": "on", "moduleStatus": {...}, "ruleIDs": [...] }
The moduleStatus
property is read-only. It provides the runtime status of the Integrity Monitoring module. (See Report on Computer Status.)
General steps
Use the following steps to configure the Integrity Monitoring module:
- Create an
IntegrityMonitoringPolicyExtension
object and set the property values. - Create a
PolicySettings
object to configure runtime settings of the module. (See Configure policy and default policy settings.) - Create a
Policy
object and add theIntegrityMonitoringPolicyExtension
andPolicySettings
objects. - Use a
PoliciesApi
object to add or update the policy on Deep Security Manager.
Create an IntegrityMonitoringPolicyExtension
object and set the module state:
policy_config_integrity_monitoring = api.IntegrityMonitoringPolicyExtension() policy_config_integrity_monitoring.state = "on"
const integrityMonitoringPolicyExtension = new api.IntegrityMonitoringPolicyExtension(); integrityMonitoringPolicyExtension.state = api.IntegrityMonitoringPolicyExtension.StateEnum.on;
IntegrityMonitoringPolicyExtension integrityMonitoringPolicyExtension = new IntegrityMonitoringPolicyExtension(); integrityMonitoringPolicyExtension.setState(StateEnum.ON);
Set the rule IDs. Note that the Integrity Monitoring rules that are currently assigned to the policy will be overwritten:
policy_config_integrity_monitoring.rule_ids = im_rule_ids
integrityMonitoringPolicyExtension.ruleIDs = imRules;
integrityMonitoringPolicyExtension.setRuleIDs(ruleIds);
At this point, the integrity Monitoring policy extension is configured. Next, it is added to aPolicy
object. Then use aPoliciesApi
object to modify a policy on Deep Security Manager.
policy = api.Policy() policy.integrity_monitoring = policy_config_integrity_monitoring policies_api = api.PoliciesApi(api.ApiClient(configuration)) modified_policy = policies_api.modify_policy(policy_id, policy, api_version)
const policy = new api.Policy(); policy.integrityMonitoring = integrityMonitoringPolicyExtension; const policiesApi = new api.PoliciesApi(); return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Policy policy = new Policy(); policy.setIntegrityMonitoring(integrityMonitoringPolicyExtension); PoliciesApi policiesApi = new PoliciesApi(); Policy modifiedPolicy = policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion);
Thepolicy_id
(orpolicyID
) parameter ofmodifyPolicy
identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as thepolicy
parameter. Any properties of thepolicy
parameter that are not set remain unchanged on the actual policy.
Example
The following example turns on Integrity Monitoring and sets the rule IDs for anIntegrityMonitoringPolicyExtension
object. The object is added to a Policy
object which is used to update a policy on Deep Security Manager.
# Turn on Integrity Monitoring policy_config_integrity_monitoring = api.IntegrityMonitoringPolicyExtension() policy_config_integrity_monitoring.state = "on" # Add the rule IDs policy_config_integrity_monitoring.rule_ids = im_rule_ids # Add to a policy policy = api.Policy() policy.integrity_monitoring = policy_config_integrity_monitoring # Modify the policy on Deep Security Manager policies_api = api.PoliciesApi(api.ApiClient(configuration)) modified_policy = policies_api.modify_policy(policy_id, policy, api_version) return modified_policy.id
// Turn on Integrity Monitoring const integrityMonitoringPolicyExtension = new api.IntegrityMonitoringPolicyExtension(); integrityMonitoringPolicyExtension.state = api.IntegrityMonitoringPolicyExtension.StateEnum.on; // Add rule IDs integrityMonitoringPolicyExtension.ruleIDs = imRules; // Add to a policy const policy = new api.Policy(); policy.integrityMonitoring = integrityMonitoringPolicyExtension; // Modifies the policy on Deep Security Manager const modify = () => { const policiesApi = new api.PoliciesApi(); return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false }); }; return modify() .then(modifiedPolicy => { resolve(modifiedPolicy.ID); }) .catch(error => { reject(error); });
// Set the state IntegrityMonitoringPolicyExtension integrityMonitoringPolicyExtension = new IntegrityMonitoringPolicyExtension(); integrityMonitoringPolicyExtension.setState(StateEnum.ON); // Add the rule IDs integrityMonitoringPolicyExtension.setRuleIDs(ruleIds); // Add to a policy Policy policy = new Policy(); policy.setIntegrityMonitoring(integrityMonitoringPolicyExtension); // Update the policy on Deep Security Manager PoliciesApi policiesApi = new PoliciesApi(); return policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion).getID();
Also see the Modify a Policy operation in the API Reference.
If you only need to add, remove, or list Integrity Monitoring rules for a policy, use the PolicyIntegrityMonitoringRuleAssignmentsApi
class. The previous example uses the IntegrityMonitoringPolicyExtension
, Policy
, and PoliciesApi
classes to set rules, but this can also be done using only the PolicyIntegrityMonitoringRuleAssignmentsApi
class. For more information, see Policy Integrity Monitoring Rule Assignments and Recommendations in the Policies section of the API Reference.
For information about authenticating API calls, see Authenticate with Deep Security Manager.
Create an Integrity Monitoring rule
Generally, to create a rule for the Integrity Monitoring module you perform the following steps:
- Create an
IntegrityMonitoringRule
object. - Set the rule properties.Rules are described in the Deep Security Help Center.
- Use an
IntegrityMonitoringRulesApi
object to add the rule to Deep Security Manager.
Template
property of the rule object to indicate how you are defining the rule:
- File: Set properties on the rule object to define how to monitor changes to files.
- Registry: Set properties on the rule object to define how to monitor changes to Windows registry values.
- Custom: Provide XML (base64-encoded) that defines how to monitor changes todirectories, registry values, registry keys, services, processes, installed software, ports and files. The custom XML is used as the value of the
CustomXML
property of the rule object.The XML that you provide must be base64-encoded.
Although Log Inspection rules have different properties than Integrity Monitoring rules, the way you create the rules are similar. You might find theCreate a basic Log Inspection rule and Create a Log Inspection rule using XML examples helpful.
To use the API to create an Integrity Monitoring rule, send a POST request to the integritymonitoringrules
endpoint. (See the Create an Integrity Monitoring Rule operation in the API Reference.)