Manage File Integrity Monitoring (FIM) Policies

Create file integrity policy definitions to monitor for file changes. A policy definition includes a target that identifies the type of object that you want to monitor. Some of the target types include directory, device, symbolic link, script, and executable.

You can assign attributes to the target type. An attribute is an action you want to monitor and includes the following examples:

  • File moves
  • File ownership changes
  • Date and time changes

A policy definition can contain more than one target.

Create a FIM Policy

To create a FIM policy:

  1. Go to Policy Management > Server Details > File Integrity Monitoring.
  2. Click Create New FIM Policy and enter a name for the policy.
  3. Click Add New FIM Rule to create a policy definition and enter a Rule name.

To delete an FIM Rule, click the appropriate FIM policy to navigate to Policy Details > Rules. Click the trash bin icon to delete the FIM Rule for the policy.

  1. Click Add New FIM Target to add more targets to the definition.

An image of the FIM Target configuration screen in BeyondInsight for Unix & Linux.

  1. Select a Target type, and set attributes you want to monitor.

 

  1. A risk rating value can be assigned. The accepted values are between 1 to 10. A risk rating weights the severity of the monitored actions configured for the targets.

An image of the FIM Rule Definition Editor screen in BeyondInsight for Unix & Linux.

  1. On the Rule Definition Editor page, enter Included path entries. Optionally, check the boxes:
    • Recurse sub folders
    • Follow symlinks
    • Follow links off device

    The policy will apply to all files in the path.

 

An image of the FIM Rules configuration screen in BeyondInsight for Unix & Linux.

  1. Enter paths that you do not want to monitor in the Exclude Paths section.

 

  1. Click Save.

Clone a FIM Policy

You may want to clone a policy in order to make a backup, or use it as a template to create a new one. On the File Integrity Monitoring page, select the clone icon on an existing policy, enter a unique Policy name, and click Clone.

Each policy requires a unique name. In order to clone a policy, you must give it a new name; otherwise, the Clone button does not activate.

Delete a FIM Policy

To delete a FIM policy:

  1. Go to Policy Management > Server Details > File Integrity Monitoring.
  2. In the FIM Policies list, click the trash bin icon on the policy you want to remove and confirm by clicking Delete.

Manage FIM Policy Assignment

To manage FIM policy assignment:

  1. Go to the Policy Management page.
  2. In the Hostname list, select a server entry.
  3. Click the Quick Actions menu and select Manage FIM policy assignment.
  4. Select a Policy name from the dropdown menu.
  5. Use the check boxes to select servers for FIM policy assignment.
  6. Click Apply.

If you want to remove an Assigned FIM Policy, select the Policy name called No policy assignment and apply it to the server.