Overview of File Integrity Monitoring
File Integrity Monitor (FIM)
Threat Stack offers File Integrity Monitoring (FIM) as part of the Host Intrusion Detection feature.
This enables continuous security monitoring solution and helps you achieve:
- Integrated near real-time monitoring of any changes to critical files or directories on all business critical systems with a very low footprint.
- Notifications and alerts for any file modifications events and access events (ex. opened, copy, move, create, viewed and modified).
- Rich, context-based audit trail with system state context for reducing false positives while maintaining complex compliance requirements.
- Alerting rules for differentiated alerting and notification mechanisms based on the severity of the event, asset value and the context of the event.
Base Rule Set Review
Threat Stack provides a library of predefined File Monitoring rules within the Base Rule Set for the most common use cases. The Base Rule Set includes:
- File: Configuration File Changes
- File: System File Changes
- File: Secret File Opens
The “File: Configuration File Changes” rule monitors changes to your system’s configuration files, specifically the /etc/ directory.
The “File: System File Changes” rule monitors changes to your system specific files. By default it monitors changes in the following directories:
- /usr/sbin/
- /bin/
- /sbin/
- /lib/
The “>File: Secret File Opens” rule monitors changes to identified important directories. Threat Stack sets this rule to monitor one directory by default “/home/ubuntu/.aws/”. You can add any important directories to this rule to enable monitoring.
To learn how to add a new directory to the “File: Secret File Opens” rule, see the ‘Useful Workflows and Processes’ below.
Important
The “File: Configuration File Changes” and the “File: System File Changes” rules monitor “Modify” events. The "File: Secret File Opens" rule monitors “Open” events.
Useful Workflows & Processes
You can modify Threat Stack provided rule sets or create additional Rule Sets that are specific to their respective environments, the rules can monitor multiple files, directories or sometimes only monitor a critical file like an application configuration (.conf) file.
Workflows and topics that you might find useful include:
- Add a New Directory to “File: Secret File Opens”
- Change a Tag on a Rule Set
- Configure an Event Query, Alert rules, and Suppression Filters
- How do I Configure File Integrity Monitoring (FIM) Rules?
These workflows are not unique to FIM but you can apply the logic and workflow in the Rulesets page.
Add a New Directory
Follow these instructions to add new directories to the “File: Secret File Opens” rule within Threat Stack.
1) Within the Rulesets tab, go to the Base Rule Set section.
2) Select the Show More link to expand and display additional rules in the Base Rule Set section.
3) Select File: Secret File Opens to display the File: Secret File Open Details section on the right side.
4) Scroll to the File Paths to Monitor section.
5) Select the Add another path button and enter the new path name in the Enter a path field.
Optional
What is Recursive Monitoring?
Recursive monitoring is when Threat Stack monitors changes in that specific directory and all of the subdirectories within it.
You can enable Recursive Monitoring by checking the Recursive? check box.

6) Save the new path by clicking the Update Rule Paths button.
Congratulations! You created a new path for Threat Stack to monitor.
Comments
Article is closed for comments.