Electronically Signed By:
Isa Hasenko
Change & Log Integrity Control (LM.4) Organization: Fintable, Inc. Owner: Security & Compliance Review cadence: Annual or upon material change Approved by: Isa Hasenko Approval Date: 2025 August 15 1) Purpose & Scope This document defines Fintable's controls and processes to detect, alert on, and review unauthorized changes to production systems, configurations, and logs, including file integrity monitoring and configuration drift detection. It applies to all production servers, applications, databases, and centralized logging systems. 2) Policy Statement Unauthorized changes to production systems are prohibited. Fintable employs preventative and detective controls that generate alerts for unapproved modifications to files, configurations, software packages, privileged accounts, scheduled tasks, firewall rules, and logs. All detected changes are reviewed promptly, correlated with change records, and remediated if unauthorized. 3) Controls Overview • File Integrity Monitoring (FIM): auditd real-time watches on critical paths; AIDE-based nightly integrity scans. • Configuration Drift Detection: Baseline “known-good” configurations (Ansible/playbooks and system templates) compared to host state; drift reports generated daily. • Change Management Correlation: All changes require a linked ticket/PR; detection events are auto-correlated—items without a change record are treated as potential incidents. • Log Integrity: Centralized, append-only logging with off-host forwarding over TLS; daily hash/seal of log bundles; restricted, audited access; optional append-only flags on local logs. • Network & Kernel Controls: iptables ruleset checks; sysctl baseline checks; alerts on changes. • Package & Service Changes: Alerts on package installs/removals, service unit modifications, new/listening ports, and cron/systemd timers. • User/Privilege Changes: Alerts on new users/groups, sudoers edits, SSH key additions, and privileged escalations. 4) Coverage (Monitored Artifacts) • /etc: system configs (e.g., sshd_config, sudoers, sysctl.conf, passwd, group, hosts, resolv.conf). • Systemd units and timers: /etc/systemd/system, overrides, and service files. • Application configs: environment files and app settings stored on servers (secrets themselves are not logged). • Firewall rules: iptables/nftables persistent config and runtime tables. • Binaries and scripts: /usr/local/bin, /usr/bin (selected), deployment scripts. • Cron: /etc/cron* and user crontabs. • Database configs: postgresql.conf, pg_hba.conf (or equivalents). • Log directories: /var/log (metadata only; contents integrity assured via off-host hashing). 5) Tooling & Implementation • auditd: Real-time watch rules for critical files/directories with alerts to the SIEM/log aggregator. • AIDE: Nightly scan comparing cryptographic hashes against baseline; report differences with severity tags. • Baseline Management: Version-controlled configuration in Ansible/playbooks; golden images for hosts; baseline updated only through approved change tickets. • Centralized Logging: Forwarding via syslog/journal over TLS to a self-hosted aggregator; daily tarball snapshots hashed and stored in versioned object storage. • Optional Hardening: Append-only (chattr +a) on local logs where supported; immutable flags during maintenance windows as appropriate. 6) Alerting & SLAs • Critical paths (e.g., sshd_config, sudoers, pg_hba.conf, iptables): alert in near real-time; triage start ≤ 4 business hours; containment ≤ 24 hours. • Non-critical configuration drift: alert in daily report; triage start ≤ 1 business day; remediation scheduled within 5 business days unless risk elevates. • Suspected log tampering or package changes on production: immediate escalation to Incident Commander per IR plan. 7) Review & Triage Process • Event Intake: Alerts collected in the incident channel with host, file, diff summary, and user/process attribution. • Correlation: Check for approved change ticket/PR; if none, classify as “Unauthorized Change” and escalate. • Investigation: Confirm scope, verify actor/process, compare with baseline, and assess potential impact. • Remediation: Revert to baseline (Ansible/apply), restore from backup if needed, or roll back deployment. • Documentation: Record root cause, timeline, and corrective actions; link evidence (AIDE reports, audit logs). 8) Preventative Practices • Least-privilege access and sudo with audit logging; no shared accounts; MFA on bastion. • Signed and peer-reviewed deployments; only CI/CD service accounts may modify production files. • Encrypted, off-host backups of configs for quick restore and verification. 9) Reporting & Metrics • Daily drift report: list of changes with authorization status. • Weekly summary: counts by category (config, package, user, firewall, logs) and by authorization. • KPIs: % unauthorized changes resolved ≤ 24h; Mean Time To Detect (MTTD); Mean Time To Remediate (MTTR); recurring offender processes/hosts. 10) Exceptions Temporary exceptions (e.g., maintenance windows suppressing certain alerts) require approval, a defined scope and timeframe, and compensating controls. Exceptions are logged and reviewed after completion. 11) Testing & Validation • Quarterly control test: introduce benign change on a test host to validate detection-to-alert pipeline and response. • Annual tabletop: scenario-based exercise including unauthorized config change and log tampering cases. 12) Review & Maintenance This control is reviewed at least annually, and whenever new platforms, directories, or services are added to production. Appendix A — Example auditd Rules (snippet) * Watch sshd config: -w /etc/ssh/sshd_config -p wa -k cfg-ssh * Watch sudoers: -w /etc/sudoers -p wa -k cfg-sudo * Watch firewall rules: -w /etc/iptables -p wa -k cfg-fw * Watch PostgreSQL HBA: -w /etc/postgresql/pg_hba.conf -p wa -k cfg-db * Watch systemd units: -w /etc/systemd/system -p wa -k cfg-systemd * Watch cron: -w /etc/cron.d -p wa -k cfg-cron * Watch users/groups: -w /etc/passwd -p wa -k acct -w /etc/group -p wa -k acct Approved By: Isa Hasenko Chief Executive Officer
Electronically Signed By:
Isa Hasenko