File integrity monitoring (FIM) is a cybersecurity process and technology that tests and checks operating system (OS), database, and application software files to determine if they have been corrupted or tampered with. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.”
File integrity monitoring software will scan, analyze, and report on unexpected changes to important files in an IT environment. In so doing, file integrity monitoring provides a critical layer of file, data, and application security, while also aiding in the acceleration of incident response and remediation.
File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.
In this blog, I’ll cover the basics of FIM, including why it’s important, common FIM use cases, files it protects, and must-have file integrity monitoring capabilities.
File Integrity Monitoring Use Cases
The four most common file integrity monitoring use cases include:
- Detecting illicit activity: If a cyber threat actor breaches your IT environment, you will need to know (for both auditing, breach reporting, and security purposes) whether or not they have altered any files, especially those that are critical to your applications or operating systems. Even if log files and other detection systems are avoided or tampered with to try to cover the attacker’s tracks, FIM can still identify changes to important parts of your IT ecosystem. With FIM in place, you can ensure an extra measure of protection that monitors and safeguards the integrity of your files, applications, operating systems, and data.
- Diagnosing unwanted changes: Sometimes, file changes are inadvertently made by an admin or other employee. The consequences of these alterations may be negligible, and thus, be overlooked. However, in many other instances, these accidental file changes can open up dangerous security backdoors, or wreak havoc with applications/system functions, and disrupt business continuity. With FIM in place, you can easily pinpoint the errant change responsible for dysfunctions, and some file integrity monitoring solutions will even allow you to directly roll back the change(s).
- Confirming update status and monitoring system health: You can apply FIM to verify whether or not files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.
- Addressing compliance mandates: The core FIM capabilities of auditing file changes, and monitoring and reporting on file alteration attempts and changes are needed for compliance with regulatory mandates such as GLBA, SOX, HIPAA and PCI DSS.
File Integrity Monitoring in Windows, Unix, & Linux Environments
FIM is an important capability across Windows, Linux, and Unix environments. Windows leverages the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area.
In Linux and Unix environments, configurations are considerably more exposed as part of the overall file system. Consequently, Linux and Unix are more vulnerable to direct attacks and hacked binary executables. Cyber attackers can easily inject malicious code by updating and replacing core files in Linux or Unix.
Ideally, FIM should track changes to OS, database, directory, application, and critical business files, alert you to any sensitive or suspicious changes. Core areas to audit change control include:
- Windows — OS, bootup / startup, password, Active Directory, Exchange SQL, etc. (Learn more about Windows Auditing)
- Linux / Unix — boot loader, kernel parameters, daemons and services, run commands, cron jobs, profiles, hosts, etc.
Native Auditing Tools or Enterprise FIM Solutions?
File integrity monitoring analyzes file characteristics to create a “digital fingerprint.” This fingerprint can then be compared to a known, good baseline fingerprint.
Native auditing tools provide some basic functionalities, but all generally suffer from significant shortcoming, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, amongst many others.
Thus, enterprises with even modest amounts of IT complexity require enterprise solutions that provide FIM capabilities.
Enterprise FIM software should examine many aspects of files, including:
- Created, modified, and accessed settings and permissions
- Security and privilege settings
- Content of the file
- Core attributes and size
- Hash values, based on file contents
- Configuration values
File integrity monitoring may be performed as a continual, snapshot, or regular basis.
Your FIM tool should monitor all components of your IT ecosystem, including:
- Network devices and servers
- Workstations and remote devices
- Databases, directories, OS, and middleware
- Cloud-based services
- Hypervisor configuration, and Active Directory
At minimum, an enterprise solution should provide change management, real-time logging, centralized logging and reporting, and alerts. Often, file integrity monitoring is part of a broader auditing and security platform that will include other capabilities, such as automated rollback of changes to an earlier, trusted state.
Ultimately, a good FIM solution should help you rapidly and clearly diagnose the who, what, where, and when for every important access and change event.
File Integrity Monitoring Resources
- The Most Important Linux Files to Protect (and How) (blog)
- Best Practices for Auditing Changes in Active Directory (white paper)
- Linux Security: Top Files and Directories to Monitor in Linux to Catch Attackers (webcast)
- BeyondTrust Auditor (Windows change auditing solution page)
- BeyondTrust Adds File Integrity Monitoring for Unix and Linux Systems (press release)