Using BMC Defender File Integrity Monitor Adapter

At many sites, the entire usage of BMC Defender FIM Adapter consists of installing the program (as discussed in the previous section) and then rarely if ever visiting that installation again. The BMC Defender FIM Adapter does not require program maintenance and does not interfere with other system processes. The system configuration file (discussed in the next section of this space) is ready-to-run and does not require any customization, other than the destination syslog host supplied by the installation dialog.

However, the BMC Defender FIM Adapter Agent programs have various capabilities available for general users, documented in this section. Specifically, the CO-Fmon.exe program has a comprehensive configuration file that allows tailoring of the directories and files that are periodically scanned. Additionally, you can customize various parameters of the agent, can create a new Image file for the agent, and can run checks of the system on demand.

This section provides detailed notes on the BMC Defender FIM Adapter command-line options and application notes suitable for use by administrators and developers who need to extend the Windows syslog monitoring capabilities of their organization. The section would be of interest to other users who need to assess the capabilities of the BMC Defender FIM Adapter tools and syslog protocol in general.

Line arguments

The CO-Fmon.exe program contains various command-line options that allow the program to execute at a command prompt. While you never require these command-line options, it might facilitate certain user operations, especially in batch files. The various options of the program are as follows:

CO-Fmon -install	The –install option causes the program to be installed as the BMC Defender FIM Adapter service in the Windows Service Manager. If the service is already installed, no action occurs. This is normally executed by the CO-install.exe program, but can be executed manually to re-install the service.
CO-Fmon -remove	The –remove option removes the program from the Windows Service Manager, first stopping the service (as needed). This is normally executed by the CO-uinstall.exe program, but can be executed manually to uninstall the service.
CO-Fmon -start	The –start option starts the BMC Defender FIM Adapter service, identical to starting the service via the Windows Service Manager, or executing the NET START CORRELOG FILE command. If the service has already started, this option has no effect.
CO-Fmon -stop	The –stop option stops the BMC Defender FIM Adapter service, identical to ending the service via the Windows Service Manager, or executing the NET STOP CORRELOG FILE command. If the service has already stopped, this option has no effect.
CO-Fmon -mode auto \| manual \| disable	The –mode option must be followed by the keyword auto, manual, or disable, and be modified by the BMC Defender FIM Adapter service startup mode, identical to making this modification via the Windows Service Manager.
CO-Fmon -permit	The –permit option tests the permissions of the user to access the Windows Service Manager. The program displays the status of the permissions, as either available or not.
CO-Fmon -foreground	The –foreground option executes the CO-fmon.exe program as a foreground process, without the service manager. In addition to sending syslog messages to the receiver, the program displays any internal error messages or warnings, and additionally displays message to standard output.
CO-Fmon -generate	The –generate option is provided mainly for extensibility or system-level debug, and causes the CO-fmon.img file to be generated on the system, listing all the files specified in the CO-fmon.cnf file. This allows you to manually generate a new Image File, that serves as the baseline for detecting changes on the system. (See section CO-fmon.img—Image File.)
CO-Fmon -diff	The –diff option is provided mainly for extensibility or system-level debug and causes the CO-fmon.stt file to be generated on the system, listing all the file changes. The option generates a new listing, compares the listing to the CO-fmon.img file, and generates syslog messages for each change. This allows you to manually generate a new difference list on the system.
CO-Fmon -help	The –help option displays brief help on the preceding options.

Note

The CO-Fmon.exe program must be executed with at least one command-line argument. One of these command-line arguments is required for interactive usage. If the program is executed with no arguments, the program either hangs, or exits with no message. (This is the mode of operation used by the Windows Service Manager.)

Exe utility

The BMC Defender FIM Adapter includes a utility that permits remote configuration changes of the CO-Fmon.exe program. You can find the utility in the system\rfmconf.exe file location of the main BMC Defender Server. The utility allows an administrator (with authentication and security) to remotely change the configuration of the CO-sysmg.exe program, assisting in the configuration and maintenance of the program.

You can discuss the configuration of the BMC Defender FIM Adapter in detail in the sections that follow. Although it might never be necessary to change the default settings of the CO-Fmon.exe program, it might be the case that match patterns, log file monitors, and other parameters need to be maintained, especially during the initial setup and configuration of the system.

The Rfmconf.exe program allows you to download and upload the configuration file from a CO-Fmon.exe program. When uploading changes, the new configuration immediately takes effect in the CO-Fmon.exe program without requiring a restart of the service. Extensive checks and security features are incorporated into the system as explained in detail in the sections that follow.

Notes

The Rfmconf.exe program is agreeable to use in batch files, hence an administrator can easily apply large numbers of changes to an enterprise.
The BMC Defender Server itself can effect these changes via the web interface. These remote configuration features are discussed in Remote-configuration-via-the-rfmconf-exe-utility.

File Monitoring

In addition to monitoring the Windows event logs, you can use CO-sysmsg.exe program to monitor multiple and arbitrary streaming log files on the system. You can use this function independent of the Windows event log and permits an administrator to instrument special log files, such as the Apache HTTP Server logs, Oracle database error logs, and many other logs on the system.

You can monitor only streaming text type log files. That is, the log file must append with text information, with new information tacked on to the end of the file. The program cannot monitor files that continuously change size or are written in reverse chronological order, or are not mainly ASCII text. Fortunately, this type of log file is uncommon; the vast majority of error logs, transfer logs, and transaction logs are streaming text, growing in size, and reset only occasionally. You can monitor these log files quite easily.

The Log file monitoring capability is an integral part of the CO-sysmsg.exe program and is quite powerful. This function, by itself, might very well justify the installation of the CO-sysmsg.exe program irrespective of whether an administrator wants to monitor the native Windows event logs.

Additional notes

The BMC Defender FIM Adapter Agent monitors file changes, either file additions, file deletions, or file changes.
The destination host address, configured in the CO-Fmon.cnf file, that is in the same location as the CO-Fmon.exe program, that by default, is the directory C:\installationDirectory\wintools.
The CO-Fmon.cnf file must exist in the directory and specifies a variety of parameters and configuration items, explained in detail in the next section.
The CO-Fmon.exe program supports a variety of command-line options, including a -foreground option, for running the program in the foreground and for checking the configuration file after edits.

This section provides information about the following topics: