Click here to expand

    File Integrity Monitoring (FIM)

    File Integrity Monitoring is a feature that helps you monitor all changes (addition/deletion/modification) made to files and folders in Windows and Linux systems.

    Important Note:
    1. It is recommended that FIM be implemented for strictly necessary files and folders so as to avoid disk space issues that may rise due to the high volume of generated logs.
    2. In Windows FIM module, both Windows server and Windows file server license are required for monitoring.

    Prerequisites for File Integrity Monitoring

    Windows:

    • When you enable File Integrity Monitoring for Windows, certain access policies will be automatically enabled on the file server. If there are overriding GPOs for audit policy in your domain, follow the below procedure to manually enable them
      • In administrator command prompt enter the command,
        auditpol/get/category:"Object Access"
      • Then proceed to enable the following access policies
        • Audit file share
        • Audit file system
        • Audit handle manipulation
        • Audit detailed file share
        • Audit other object access events.
    • SACLs should be enabled for the monitored file/folders. These are automatically enabled by the product. If not, manually update SACLs with the following permissions (see how)
      • Execute files/ traverse folder
      • Write data/create files
      • Append data/create folders
      • Write attributes
      • Write extended attributes
      • Delete subfolders and files
      • Delete read permissions
      • Change permissions
      • Take ownership

    Linux:

    • The SSH server should be installed in the Linux machine (mandatory only for installation).
    • Ensure that the audit daemon is installed and configured on your Linux machines. Also ensure that the
      • Linux kernel version is 2.6.25 or higher
      • Linux audit framework version is higher than 1.8
    • If the syscall block rule and immutable rule are enabled rules from /etc/audit/audit.rules, please remove the following rules:
      • Syscall block rule, -a never,task
      • Immutable rule, -e 2
    • If you are enabling auditing for SUSE machines, set the following rule:
      • Navigate to /etc/sysconfig/auditd
      • Set AUDITD_DISABLE_CONTEXTS = no
    • If Security-Enhanced Linux (SELinux) exists then it must either be in the permissive mode or disabled:
      • Check SELinux status using the command: getenforce.
      • If the status is 'Enforced', navigate to file/etc/selinux/config and make this edit: SELINUX = permissive.
      • Restart the server.

    Note: Configuring FIM for Linux audits the following actions on Linux files:

    • Read
    • Write
    • Execute
    • Attribute change

    Configuring File Integrity Monitoring

    To configure File Integrity Monitoring, go to

    • Navigate to Settings > Configurations > Manage File Integrity Monitoring.
    • Depending on which device the files and folders that you wish to monitor are located in, click on either the Windows or Linux tab.
    • Click Add FIM.
    • Pick the device in which the files/folders are located, enter correct credentials, browse and select the files and folders you wish to monitor. Alternatively, you can enter the location of the files/folders.
    Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter the SSH port number.
    • The Exclude Filter gives you an option to exclude
      1. Certain file types.
      2. Certain sub-locations within the main location.
      3. All sub-locations within the main location.
    • If you want to know who has made the change to the file or folder, check the Audit Username checkbox.
    • Note: For Linux devices, username is audited by default.
    • Click Configure.

    Configuring Bulk File Integrity Monitoring

    If the same files and folders located in multiple devices need to be added for monitoring, then the Bulk File Integrity Monitoring feature can be used.

    • Navigate to Settings > Configurations > Manage File Integrity Monitoring.
    • Depending on which device the files and folders that you wish to monitor are located in, click on either the Windows or Linux tab.
    • Click Add FIM. Select Configure multiple devices on the top right corner.
    • Pick the device in which the files/folders are located, enter correct credentials, and select the file template(s).
    Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter the SSH port number.
    • Click Configure.
    Notes: 
    • If an agent is already installed in the device whose files you want to monitor, file monitoring will automatically be enabled in the agent.
    • If no agent is installed in the device for which you want to monitor the files, then an agent will be installed and file monitoring will be enabled in the agent.
    • Please note that the volume of logs generated for each change occurring on the folders can affect the performance of the file server. It is a recommended practice to limit file/folder monitoring to the required files/folders.

    Manage File Integrity Monitoring (FIM) Templates

    If the same file or folder needs to be monitored in a number of devices, then a template can be created and assigned to these devices. To create a FIM template follow the steps below:

    • Navigate to Settings > Configurations > Manage File Integrity Monitoring > FIM Templates.
    • Depending on which device the files and folders that you wish to monitor are located in, click on either the Windows or Linux tab.
    • Click Add FIM.
    • Enter a name for the template and select the locations of the files and folders.
    • Alternatively, you can enter the location of the files/folders.

    • The Exclude Filter gives you an option to exclude
      1. Certain file types.
      2. Certain sub-locations within the main location.
      3. All sub-locations within the main location.
    • If you want to know who has made the change to the file or folder, check the Audit Username checkbox.
    • Click Configure.

    All the created templates are listed in a tabular column with an option to edit / delete them.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       
    Get download link