Skip to content

Latest commit

 

History

History
50 lines (33 loc) · 3.55 KB

File-integrity-monitoring.md

File metadata and controls

50 lines (33 loc) · 3.55 KB
Raw

File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) is a security process used to monitor the integrity of system and application files. FIM is an important security defense layer for any organization monitoring sensitive assets. It provides protection for sensitive data, application, and device files by monitoring, routinely scanning, and verifying their integrity. It helps organizations detect changes to critical files on their systems which reduces the risk of data being stolen or compromised. This process can save time and money in lost productivity, lost revenue, reputation damage, and legal and regulatory compliance penalties.

Pre-requisite

wazuh-agent manager configurations

<directories check_all="yes" realtime="yes" report_changes="yes">FILEPATH/OF/MONITORED/DIRECTORY</directories>

  • When you configure the FIM module to monitor specific files and directories, it records the metadata of the files and monitors them. The directories option supports several attributes.

  • The report_changes attribute allows the FIM module to report the exact content changed in a text file. This records the text added to or deleted from a monitored file. The allowed values for this attribute are yes and no.

  • The realtime attribute enables real-time/continuous monitoring of directories on Windows and Linux endpoints only. The allowed values for the realtime attribute are yes and no, and it only works with directories, not individual files.

  • FILEPATH/OF/MONITORED/DIRECTORY which is directory you want to monitor.

add above directories attribute to wazuh-agent manager configurations files which located under followings path.

    Linux: /var/ossec/etc/ossec.conf

    Windows: C:\Program Files (x86)\ossec-agent\ossec.conf


Figure (1) wazuh-agent manager configurations

When some changes made on monitored directory alerts are shown in dashboards under agents\Integrity Monitoring tab.


Figure (2)

When some changes made on monitored directory alerts are shown in under agents\Events tab.


Figure (3)

There are hashes of monitored files with different hashing algorithms.


Figure (4)

When files removing made on monitored directory alerts are shown in dashboards under agents\Integrity Monitoring tab.


Figure (5)

Details analysis of File Integrity Monitoring.


Figure (6)

In this tutorial, File Integrity Monitoring in Windows Wazuh Agent is demostrated. Do more Practice and Expert it!.
3/29/2024
Contributed By - Jord@n