FileSet

The FileSet tag describes a set of Files.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute	Description	Required	Default Value	Allowed Values
base	Sets the base directory of the FileSet. Everything else in the tag is relative to this directory.	Yes	N/A	String values resolving to syntactically valid path (Path is not required to exist). Note: UNC paths are allowed by Windows Agents, but require that the remote system allow access by the "LocalSystem" account of the Agent computer. The Agent is a Windows service and runs as LocalSystem, aka NT AUTHORITY\SYSTEM. When accessing a network resource, the LocalSystem uses the computer's credentials, which is an account named DOMAIN\MACHINE$. The access token presented to the remote computer also contains the "Administrators" group for the computer, so remote shares must grant read privileges to either the Agent computer's account, the Agent computer's Administrators group, or "Everyone". For testing access to UNC paths, use this technique to launch a Windows command prompt running as a service under the LocalSystem account. With that you can try accessing network & local resources, or launch other applications that will run under the LocalSystem account. If the base value is not syntactically valid, the FileSet will not be processed. The rest of the config will be evaluated.
onChange	Whether the files returned should be monitored in real time.	No	false	true, false
followLinks	Will this FileSet follow symbolic links.	No	false	true, false

Entity Set Attributes

These are the attributes of the FileSet that can be monitored by Integrity Monitoring Rules.

Created: Timestamp when the file was created
LastModified: Timestamp when the file was last modified
LastAccessed: Timestamp when the file was last accessed. On Windows this value does not get updated immediately, and recording of the last accessed timestamp can be disabled as a performance enhancement. See File Times for details. The other problem with this attribute is that the act of scanning a file requires that the Agent open the file, which will change its last accessed timestamp. On Unix, the Agent will use the O_NOATIME flag if it is available when opening the file, which prevents the OS from updating the last accessed timestamp and speeds up scanning.
Permissions: The file's security descriptor (in SDDL format) on Windows or Posix-style ACLs on Unix systems that support ACLs, otherwise the Unix style rwxrwxrwx file permissions in numeric (octal) format.
Owner: User ID of the file owner (commonly referred to as the "UID" on Unix)
Group: Group ID of the file owner (commonly referred to as the "GID" on Unix)
Size: size of the file
Sha1: SHA-1 hash
Sha256:SHA-256 hash
Md5: MD5 hash
Flags: Windows-only. Flags returned by the GetFileAttributes() Win32 API. Windows Explorer calls these the "Attributes" of the file: Read-only, Archived, Compressed, etc.
SymLinkPath (Unix only): If the file is a symbolic link, the path of the link is stored here. Windows NTFS supports Unix-like symlinks, but only for directories, not files. Windows shortcut objects are not true symlinks since they are not handled by the OS; the Windows Explorer handles shortcut files (*.lnk) but other applications that open a *.lnk file will see the contents of the lnk file.
InodeNumber (Unix only)
DeviceNumber (Unix only): Device number of the disk on which the inode associated with the file is stored
BlocksAllocated (Unix only)
Growing: (DSA 7.5+) contains the value "true" if the size of the file stays the same or increases between scans, otherwise "false". This is mainly useful for log files that have data appended to them. Note that rolling over a log file will trigger a change in this attribute.
Shrinking: (DSA 7.5+) contains the value "true" if the size of the file stays the same or decreases between scans, otherwise "false".

Short Hand Attributes

The following are the Short Hand Attributes, and the attributes to which they map.

CONTENTS: Resolves to the content hash algorithm set in Policy/Computer Editor > Integrity Monitoring > Advanced.
STANDARD: Created, LastModified, Permissions, Owner, Group, Size, Contents, Flags (Windows only), SymLinkPath (Unix only)

Drives Mounted as Directories

Drives mounted as directories are treated as any other directory, unless they are a network drive in which case they are ignored.

Alternate Data Streams

NTFS based filesystems support the concept of alternate data streams. When this feature is used it behaves conceptually like files within the file.

To demonstrate this, type the following at the command prompt:


				echo plain > sample.txt 
 echo alternate > sample.txt:s 
 more < sample.txt 
 more < sample.txt:s

The first "more" will show only the text "plain", the same text that will be displayed if the file is opened with a standard text editor, such as notepad. The second "more", which accesses the "s" stream of sample.txt will display the string "alternate".

For FileSets, if no stream is specified, then all streams are included. Each stream is a separate Entity entry in the baseline. The available attributes for streams are:

size
Sha1
Sha256
Md5
Contents

The following example would include both streams from the demonstration above:

To include or exclude specific streams, the ":" notation is used. The following example matches only the "s" stream on sample.txt and not the main sample.txt stream:

Pattern matching is supported for the stream notation. The following example would include sample.txt, but exclude all of its alternate streams:

Meaning of "Key"

Key is a pattern to match against the path of the file relative to the directory specified by "base". This is a hierarchical pattern, with sections of the pattern separated by "/" matched against sections of the path separated by the file separator of the given OS

Sub Elements

Include
Exclude

See the general description of include/exclude for their allowed attributes and sub elements. Only information specific to include/excludes relating to the FileSet Entity Set class are included here.

Special attributes of Include/Exclude for FileSets:

executable

Determines if the file is executable. This does not mean that its permissions allow it to be executed. Instead the contents of the file are checked, as appropriate for platform, to determine if the file is an executable file.

This is a relatively expensive operation since it requires the Agent to open the file and examine the first kilobyte or two of its content looking for a valid executable image header. Opening and reading every file is much more expensive than simply scanning directories and matching filenames based on wildcard patterns, so any include/exclude rules using "executable" will result in slower scan times than those that do not use it.