Manage File Integrity Monitoring Policies

Create file integrity policy definitions to monitor for file changes. A policy definition includes a target that identifies the type of object that you want to monitor. Some of the target types include directory, device, symbolic link, script, and executable.

You can assign attributes to the target type. An attribute is an action you want to monitor and includes the following examples:

  • File moves
  • File ownership changes
  • Date and time changes

A policy definition can contain more than one target.

Create a FIM Policy

To create a FIM policy:

  1. On the Home page, click Policy Management.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. Click Policies.
  5. At the right, click Create New FIM Policy.
  6. In the Create New Policy panel, and enter a name for the policy.
  7. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  8. Click Create.

To create a FIM rule for the policy:

  1. In the list, click the Policy name you have just created.
  2. On the Policy Details page, at the right, click Add New FIM Rule.
  3. In the Create new FIM rule panel, enter a Rule name.
  4. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  5. Click Create.

To delete a FIM Rule, click the appropriate FIM policy to navigate to Policy Details > Rules. Click the trash bin icon to delete the FIM Rule for the policy.

To add a FIM target:

  1. On the Policy Details page, click on the rule name you have just created.
  2. On the Rule Definition Editor page, click Add New FIM Target to add a target to the definition.

An image of the FIM Target configuration screen in BeyondInsight for Unix & Linux.

  1. Select a Target type, and then set attributes you want to monitor.

 

  1. You can assign a policy risk rating. The accepted values are between 1 to 10. A risk rating weighs the severity of the monitored actions configured for the targets.
  2. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  3. Click Save.
  4. On the Policy Details page, click on the rule you just created.

An image of the FIM Rule Definition Editor screen in BeyondInsight for Unix & Linux.

  1. On the Rule Definition Editor page, enter Included path entries. Optionally, check the boxes:
    • Recurse sub folders
    • Follow symlinks
    • Follow links off device

    The policy applies to all files in the path.

 

An image of the FIM Rules configuration screen in BeyondInsight for Unix & Linux.

  1. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  2. Click Save.
  3. In the Exclude Paths section, enter paths that you do not want to monitor.
  4. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  5. Click Save.

Clone a FIM Policy

You may want to clone a policy in order to make a backup, or use it as a template to create a new one. On the File Integrity Monitoring page, select the clone icon on an existing policy, enter a unique Policy name, and click Clone.

Each policy requires a unique name. In order to clone a policy, you must give it a new name; otherwise, the Clone button does not activate.

Delete a FIM Policy

To delete a FIM policy:

  1. Go to the Policy Management page.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. Click Policies.
  5. In the FIM Policies list, click the trash bin icon at the right of the policy you want to remove, and then click Delete to confirm.