High level workflow for file activity monitoring

Edit online

Use this general workflow to plan and run file activity monitoring on file servers in the Linux, UNIX®, and Windows™ environments.

Prerequisites:
  • Guardium® File Activity Monitor (FAM) license keys must be installed.
  • For UNIX file servers: Software TAP (S-TAP®) for FAM is installed.
  • For Windows file servers: FamMonitor bundle is accessible.
  • CentOS 7.9 requires that the following libraries are installed: 32-bit libstdc+5 and libstdc+6
  • FAM discovery agent (also known as the FAM bundle or FAM agent) must be accessible. Required for file discovery and classification. Download from Fix Central or obtain from your Guardium representative.
  • Disk space requirements for FAM bundle: 2 GB. AIX® platforms require an additional 2 GB during installation.
  • To install the FAM discovery agent successfully on AIX, it is recommended to set the process data size to unlimited. Access the file /etc/security/limits and change this line to default: data = -1.
  • Supported servers and platforms are listed in Guardium Supported Platforms for Files.
  • For complete lists of supported data types, see What data types are supported and Oracle Text Supported Document Formats in Oracle documentation.
Windows servers only: Starting with Guardium 11.0, the FAM monitor package is a stand-alone package, and is installed independently. (It is not installed with S-TAP, as it was in previous releases.) When upgrading to version 11.0, whether or not you use the General Data Protection Regulation (GDPR) accelerator:
  • Upgrade the S-TAP to 11.0 if you're using FAM and S-TAP. This uninstalls the previous FAM (FsMonitor driver and StapAT service). Then install the 11.0 FAM crawler and FamMonitor.
  • Uninstall the S-TAP if you're using FAM only. This uninstalls the previous FAM (FsMonitor driver and StapAT service). Then install the 11.0 FAM crawler and FamMonitor.

FAM GDPR accelerator

Use the FAM GDPR accelerator to guide you through the entire process of enabling and configuring FAM, including for GDPR compliance. The accelerator supports Windows, Linux, and UNIX platforms.
  1. Access the module upload page: Accelerators > GDPR > Assess > Prepare > Upload FAM Module for GDPR, and upload the FAM module.
  2. Follow the instructions in the GDPR accelerator GUI page to complete the FAM GDPR configuration. See the overview in Accelerators > GDPR > GDPR Compliance.
  3. See the rules that can be used to create decision plans for FAM GDPR in Rules for GDPR File Activity.

FAM without GDPR accelerator

If you are not using the FAM GDPR accelerator, use this workflow for file activity monitoring:

  1. Install the FAM crawler for discovery and classification.
    1. For UNIX file servers, this also installs the monitoring capabilities: Installing and activating the FAM discovery agent (crawler) on UNIX servers.
    2. For Windows file servers: Installing and activating FAM discovery agent (crawler) on Windows servers.
    3. Configure File discovery and classification GIM parameters.
  2. For Windows servers only: Install the FamMonitor installation package. See Installing and activating the FamMonitor on Windows servers.
  3. Monitor and investigate results:
    • Review file activity in reports, including the following predefined reports: File Activities, File Entitlement, Files Count of Activity Per Client, Files Count of Activity Per Server, Files Count of Activity Per User, and Files Privileges.
    • For ongoing investigation and analysis, use Investigation Dashboards, which include text search and outliers capability, and enhanced visualizations. See:
  4. Protect. Create and apply policies for ongoing monitoring and protection for file servers. See File Activity policies for UNIX and Windows file servers.
    Note: FAM rules might not be applied to certain operations on file descriptors, such as changing the owner or permissions for a file, on the following platforms:
    • AIX
    • 12.1 and later Oracle Solaris