Introduction

*
Agent versus Agentless is a perennial debate for any monitoring requirements and is something that has been written about previously.

Bạn đang xem: Troubleshooting file integrity monitoring

The summary of the previous assessment was that agent-based File Integrity Monitoring FIM is usually better due lớn the real-time detection of changes, negating the need for repeated full baseline operations, and due khổng lồ the agent providing file hashing, even though there is an additional management overhead for the installation và maintenance of agent software. But what about Agentless systems that purport lớn provide hashing? Seemingly being able to encircle all requirements và deliver the functionality of an agent-based FIM solution but still without using an agent?

What Is So Scary About Agents Anyway?

The problem with all agents is one of maintenance. First, the agent itself needs khổng lồ be deployed & installed on the endpoint. Usually, this will also require other components lượt thích Java or Mono lớn be enabled at the endpoint too, & these all have their own requirements for maintenance too. WSUS/Windows Update Services & Update Manager functions in Ubuntu all make life much easier now khổng lồ maintain packaged programs but it is accepted than introducing more components to any system will only ever increase the range of ‘things that can go wrong’.

So we’ll make that 1-0 lớn Agentless for ease of implementation and maintenance, even though both functions can be automated khổng lồ a greater or lesser degree – good FIM solutions will automatically update their agent components if new versions are released.

System Resources – Which Option Is More Efficient?

No agent means the agentless system must operate on a polled basis, & operating on a polled basis means the monitoring system is blind khổng lồ any security events or configuration changes that occur until the next poll. This could mean that security threats go undetected for hours, & in the case of rootkit malware, irreparable damage could have been done before anytoàn thân knows that there is a problem.

Poll intervals can be reduced, but the nature of an agentless system is that every attribute for every object or file being monitored must be gathered for every poll because, unlượt thích there is with an agent-based FIM solution, there are no means of tracking & recording changes as they happen. The consequence of this is that agentless polls are as heavy in terms of system resources as the initial baselining operation of an agent-based system. Every single tệp tin và attribute must be recorded for every poll, regardless of whether changes have sầu occurred or not. Worse still, all the data collected must be dragged across the network lớn be analyzed centrally, and again, this load is repeated for every single poll. This also makes agentless scans slow to lớn operate.

By contrast, an agent-based FIM solution will work through the full baseline process once only, and then use its vantage point on the endpoint host khổng lồ record changes lớn the baseline in real-time as they occur. Being host-based also gives the agent access to the OS as changes are made, thereby enabling capture of ‘Who made the Change’ data too. The agent gives a much more host-resource & network efficient solution, operating a changes-only function. If there are no changes to lớn record, no host resources are used và no network capađô thị used either. The agentless poll will always use a full baseline’s worth of resource for every scheduled scan. Furthermore, this makes running a report significantly slower than using an agent that already has up lớn date baselines of the information needed in the report. This easily levels the scores up at đối chọi.

Xem thêm: Phố Trần Duy Hưng Có Gì - Vạch Trần Bí Mật Phố Đèn Đỏ Trần Duy Hưng

Security Considerations of Agentless versus Agent-Based FIM Solutions

Finally, there is a further consideration for the agentless solution that doesn’t apply khổng lồ the agent-based FIM option. By requiring the agentless solution lớn login and exeđáng yêu commands on the VPS khổng lồ gather baseline information, the agentless solution hệ thống needs an Account with network access khổng lồ the host. The Account provisioned will need sufficiently high privileges khổng lồ access folders and files that need khổng lồ be tracked & by definition, these are typically the most sensitive objects on the VPS in terms of security governance. Use of Private Keys can be used to help restrict access lớn a degree, but an agentless solution will always carry with it an additional inherent security risk over & above that posed by agent-based giải pháp công nghệ. I would call that a clear 2-1 lớn the Agent, being more efficient, faster và more effective sầu in reporting threats in real-time.

File Hashing – What is the Advantage?

The classic approach to lớn File Integrity Monitoring is lớn record all the file attributes for a file, then perkhung a comparison of the same data to lớn see if any have sầu changed. For more detail of how the tệp tin make-up or contents have changed, mainly relevant to Linux/Unix text-based configuration files or website application configuration files, then the contents may be compared side-by-side to show changes. Using a file hash (more accurately a cryptographic file hash) is an elegant & very neat way of summarizing a file’s composition in a single, simple, quality code. This provides several key benefits -

Regardless of the kích thước và complexity (text or binary) of the tệp tin being tracked, a fixed length but chất lượng code can be created for any file – comparing hash values for files is a simple but highly sensitive sầu way to check whether there have been any changes or notThe hash is quality for each file and, due lớn the algorithms used khổng lồ generate cryptographic hashes, even tiny changes result in significant variations in the hash values returned, making changes obviousThe hash is portable so the same tệp tin held on different servers will return the same identical hash value, providing a forensic-level ‘DNA Fingerprint’ for the tệp tin và version

Therefore cryptographic hashing is an important dimension to lớn file integrity monitoring, however, the standard Windows OS programs và components vày not offer a readily usable mechanism for delivering this function. So a further big advantage of using an agent-based FIM solution is that cryptographic hashing can be provided on all platforms, unlike a pure agentless solution. 3-1 to lớn the Agent and it looks like it is going lớn be hard for the agentless solution to get baông chồng in the game!

When is Agentless FIM Really the Same as an Agent-Based FIM Solution?

In practice, the solution requires an Administrator logon lớn the servers to be scanned. The system then logs on & executes a whole sequence of commvà line scripted commands khổng lồ kiểm tra tệp tin integrity, but will also pipe across a program to lớn help perkhung file hashing. This program – some say, agent - will then be deleted after the scan.

So is this solution agentless? No, although it does remove sầu the major hassle with an agent-based solution in that it automates the initial deployment of the agent. What are the other benefits of this approach? None really. It is less secure than an installed agent - providing an Admin logon that can be used across the whole network is arguably weakening security before you even start. It is massively less efficient than a local agent - piping programs across the network, then executing a bunch of scripts, then dragging all the results back across the network is hugely inefficient compared to lớn an agent that runs locally, does its baselines & compares locally và then only if it needs lớn, sends results bachồng.

It is also fundamentally not a very effective way to lớn keep your estate secure - which kind of misses the point of doing it in the first place! Reason being you only get lớn know that security is weakened or actually compromised when you next run a scan - always too late! An agent-based FIM solution will detect config drift and FIM changes in real-time - you know you have a potential risk within seconds of it arising, complete with details of who made the change.

Xem thêm: Upanh, Up Ảnh Miễn Phí, Up Ảnh Nhanh Online 1Doi1, Imgbb — Máy Chủ Tải Ảnh Miễn Phí / Tải Ảnh

Summary

So in summary, agentless is less efficient, less secure and less able to keep your estate secure (& the most effective sầu Agentless solutions still use a temporary agent anyway). The ease of deployment of Agentless is tempting, but this can always be automated using any one of a number of software distribution solutions. Perhaps the best solution still is to reserve the option on both và choose the best approach on balance? For example, Firewall appliances will always need to be handled using scripted, Agentless interrogation, while Windows servers can only truly be audited for vulnerabilities using a cryptographic hashing, real-time change detection agent.


Chuyên mục: Kiến thức bổ ích