1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. User Guides
  3. File Integrity Monitoring

Capabilities of File Integrity Monitoring

You can configure File Integrity Monitoring (FIM) rules in F5 Distributed Cloud App Infrastructure Protection (AIP). Testing your FIM rules allows you to verify that your system is properly configured.

Example of FIM Commands and Alerts

Distributed Cloud AIP allows for the following actions to be monitored on any given file path:

  • Creation
  • Opening
  • Modifying
  • Closing
  • Deleting

Important

The Distributed Cloud AIP Agent depends on inotify to populate FIM events. Due to inotify limitations, Distributed Cloud AIP cannot provide information about the user that triggers a FIM Create, Delete, or Move event. For more information, see Exceptions for FIM Create, Delete, and Move Events.

How do I test the FIM rules?

You can test FIM by performing the above actions (examples below) on files within monitored directories. If you need help understanding which directories Distributed Cloud AIP monitors, see Overview of File Integrity Monitoring.

Note

This is a limited list of commands to give you an idea of ways to test FIM within Distributed Cloud AIP.

Command Line Explanation Example event Types
vi [filename] Opens the file with the vi text editor ‘access’, ‘open’, and ‘close’
echo [enter text] > secret file Takes texts and add it to the end of a file ‘modify’, ‘close’, ‘write’ and ‘open’ event
wget Downloads a file from the internet ‘modify’, ‘open’, ‘close’, and ‘write’ event
curl Downloads a file from the internet ‘modify’, ‘open’, ‘close’, and ‘write’ event
scp outsidehost:/file secretfile Copies a file from an outside host to your system ‘open’, ‘modify’, ‘close’, and ‘write’ event
scp secretfile outsidehost:/file Takes a file from your system and copies it to an outside host ‘open’, ‘access’, and ‘close’ event

Example

Running the “vi” command to trigger an event and alert.

  1. Choose a file that should be monitored within Distributed Cloud AIP
  2. Navigate to that file’s directory
  3. Type ‘vi [filename]’
  4. Result: File opens in vi
  5. To exit vi enter “:q”

Note

FIM events can take up to a minute to display within the Distributed Cloud AIP system.

Where can I view my results?

  1. Go to the Alerts tab on the left hand side.
  2. Select the Sev 3 tab to display Severity 3 alerts.

Result: You should see an alert for the event that you triggered.

FIM-results.png

What if I don’t see an alert for the event?

See the FIM Troubleshooting Guide or contact support.

Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles