File Integrity Monitoring (FIM)
FIM is supported from sensor version 0.5.0.
- Check sensor version
- Upgrade sensors
Auditd must be enabled on the host and the audit socket needs to be available for the sensor.
FIM is disabled by default. Please contact email@example.com to enable it.
File integrity monitoring (FIM) is the process of detecting changes of critical system files, configuration files and content files. Intezer Protect detects file changes immediately as they occur, and audits the events for further analysis.
Changes to sensitive files and creations or deletions of files in sensitive directories may indicate a cyber attack. File modifications which are notably suspicious trigger an alert in the system, while other changes may only be audited. Auditing these changes increases the visibility to the protected hosts and aids in investigating security incidents. For example, if an attacker was able to modify the users’ password file (/etc/shadow), the event will be audited and available for further investigation.
Enabling FIM can also help customers be more compliant. Many compliance frameworks require FIM to be implemented. These frameworks include PCI DSS (Requirement 11.5), SOX (Section 404), HIPAA (NIST Publication 800-66) and SANS Critical Security Controls (CSC 3).
For these reasons, we recommend enabling File Integrity Monitoring on all protected hosts.
Navigation and Usage
FIM can be accessed in two ways:
- Main menu: Displays audit events for all hosts in the organization.
In the top menu, click on ‘Audit.’
- Single host screen: Displays all auditing events related to a specific host.
- In the main menu, click on ‘Hosts.’
- Click on a specific host from the list.
- Click on the ‘Audit’ tab.
For each event, the following details are displayed:
- Category: Icon to identify the element that was changed.
Available icons identify:
- Network socket
- Event Type: The type of event that occurred.
The available events are:
- Attribute changes (e.g. permissions and ownership changes)
- File Path: The path of the file that was modified.
For moved files, both the source and destination paths are displayed.
- Hostname*: The host where the event took place.
- Platform*: The platform of the host where the event took place.
- K8s Cluster: The K8s cluster of the host where the event took place.
- User: The username of the performing user who created the change.
- Time: The time of the event.
* Displayed when accessing Audit via the main menu.
Searching for Events
Events can be searched by the following attributes:
- File path
- Performing user
The following filters are available:
- Event type: Filter events by their type.
- Low Priority Events: Hide low priority events that are less likely to pose a threat (e.g. temporary files and backup files).
- Time range: Filter events by the time of the event. For example, view only events from today or from the last seven days.
Click on an event in the list to get additional details on the event such as information on the executable that created the event and file permissions.
FIM monitors modifications to sensitive paths which can indicate a cyber attack. For example, FIM generates an audit event for changes to the users’ password file: /etc/shadow. The default list of paths is not disclosed for security reasons. To get the default list of monitored paths or to change which paths are monitored in your environment, please contact firstname.lastname@example.org.