High level workflow for file activity monitoring
Use this general workflow to plan and execute file activity monitoring on file servers in the Linux, Unix and Windows environments.
Prerequisites:
- FAM license keys must be installed.
- For UNIX file servers: S-TAP for FAM is installed.
- For Windows file servers: FamMonitor bundle is accessible
- CentOS v7.9 requires that the following libraries are installed:
32-bit libstdc+5
andlibstdc+6
- FAM discovery agent (also known as the FAM bundle or FAM agent) must be accessible. Required for file discovery and classification. Download from Fix Central or obtain from your Guardium representative.
- Disk space requirements for FAM bundle: 2GB. AIX platforms require an additional 2GB during installation.
- To install the FAM discovery agent successfully on AIX, it is recommended to set the process data size to unlimited. Access the file /etc/security/limits and change this line to default: data = -1.
- Supported servers and platforms are listed in https://supportcontent.ibm.com/support/pages/node/6245402.
- For complete lists of supported data types, see What data types are supported and Oracle Text Supported Document Formats in Oracle documentation.
Windows servers only: From V11.0, the FAM monitor package is a standalone
package, and is installed independently. (It is not installed with S-TAP®, as it was in
previous releases.) When upgrading to v11.0, whether or not you use the GDPR accelerator:
- If you're using FAM and S-TAP: Upgrade the STAP to 11.0. This uninstalls the previous FAM (FsMonitor driver and StapAT service). Then install the 11.0 FAM crawler and FamMonitor.
- If you're using FAM only: Uninstall the S-TAP. This uninstalls the previous FAM (FsMonitor driver and StapAT service). Then install the 11.0 FAM crawler and FamMonitor.
FAM GDPR Accelerator
Use the FAM GDPR Accelerator to guide you through the
entire process of enabling and configuring FAM, including for GDPR compliance. The Accelerator
supports Windows, Linux, and UNIX platforms.
- Access the Module upload page: , and upload the FAM module.
- Follow the instructions in the GDPR Accelerator GUI page to complete the FAM GDPR configuration. See the overview in .
- See the rules that can be used to create decision plans for FAM GDPR in Rules for GDPR File Activity.
FAM without GDPR Accelerator
If you are not using the FAM GDPR Accelerator, use this workflow for file activity monitoring:
- Install the FAM crawler for discovery and classification.
- For UNIX file servers. This also installs the monitoring capabilities: Installing and activating the FAM discovery agent (crawler) on UNIX servers.
- For Windows file servers: Installing and activating FAM discovery agent (crawler) on Windows servers.
- Configure File discovery and classification GIM parameters.
- Optionally Customizing FAM discovery decision plans and Uploading and deleting FAM decision plan files. You can use the default decision plans, or create your own using the IBM Content Classification.
- Windows servers only: Install the FamMonitor installation package, see Installing and activating the FamMonitor on Windows servers.
- Monitor and investigate results:
- Review File activity in reports, including the following predefined reports: File Activities, File Entitlement, Files Count of Activity Per Client, Files Count of Activity Per Server, Files Count of Activity Per User, Files Privileges.
- For ongoing investigation and analysis, use Investigation Dashboards, which include text search and outliers capability as well as enhanced visualizations. See:
- Protect: create and apply policies for ongoing monitoring and protection for file servers. See
File Activity policies for UNIX and Windows file servers.Note: FAM rules might not be applied to certain operations on file descriptors, such as changing the owner or permissions for a file, on these platforms:
- AIX