CO-fmon program and features

The CO-fmon program complements the operation of the CO-logmon process but provides a different function. CO-fmon scans directories of files and sends a syslog message if a file adds, deletes, or changes. This protects certain system directories against changes and verifies that no malicious software (or undocumented change) is added to the system. This class of program is often referred to as a File Integrity Monitor (FIM) because it continuously monitors whether the file system has been monitored, thereby ensuring the integrity of the file system.

CO-fmon reads the CO-fmon.cnf file to acquire a list of monitored files, creating an image file. Subsequently, each time a listing of files is acquired (that is scheduled to occur hourly, daily, or weekly), CO-fmon compares the new file list against the image file and reports changes.

The destination address for all messages is configured in the CO-fmon.cnf file, in the same directory as the CO-fmon program. This file must exist in that location and read whenever CO-fmon starts. A detailed explanation of this configuration file, including all directives that can be included in the file, is provided in the CO-fmon-configuration-file.

The CO-fmon program operates in a fashion that is almost identical to the Windows File Integrity Monitor. The BMC Defender FIM Audit Report adapter is particularly important for PCI-DSS compliance, which requires file integrity monitoring to implement at a managed site.

The BMC Defender FIM Audit Report adapter supports the enterprise requirements for security, with particular regard to PCI/DSS and other security guidelines. The program is easy to install and use, and contains the following specific features and functions:

  • Fast File scans—The File Integrity Monitor monitors large numbers of files quickly and non-intrusively. The program typically scans 10,000 files within one or two minutes, permitting hourly checks of file integrity.
  • Ability To Monitor Files By Directory—The File Integrity Monitor is easy to configure and allows you to specify files by directory, including the ability to match and exclude files by directory name, file suffix, file prefix, or other keywords. This allows an operator to precisely target particular files on the managed system.
  • Ability To Perform File Checksums—The File Integrity Monitor checks the file creation time, modify time, and file size to determine whether a file modifies on the system. As an additional feature, you can enable the calculation of checksums on each file to check whether any single bit in the file changes.
  • Remote Configuration Capabilities—The File Integrity Monitor allows you to remotely access and adjust (with authentication) program configuration data, permitting you to make changes to the File Integrity Monitor while it is running. Additionally, you can obtain real-time status from the File Integrity Monitor to view the remote status and state of the program.

For additional information about operating the Windows version of the CO-fmon program, see BMC Defender Agent for Windows.

Important

Unlike the Unix File Integrity Monitor adapter, the Windows BMC Defender FIM Audit Report adapter is documented separately and is not a standard part of the BMC Defender Agent for Windows. On Windows platforms, the Windows BMC Defender FIM Audit Report adapter is downloaded and installed separately. On Unix systems, the File Integrity Monitor adapter component includes all packages and can optionally be installed, depending on your specific requirements, with no other download to the Unix platform required.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*