When you talk about security in your systems, there is this component that will come again and again. This component is FIL or File Integrity Monitoring. Whether you are trying to get a PCI DSS certification or normally increasing security to the next level you have to take this in mind.
FIM or File Integrity Monitoring
This is a process of monitoring the state of the operating system and files by comparing it with a known good base-line to verify the changes that are done.
It uses a method called a checksum. The checksum is calculated of the files that are present and is compared with the known good baseline of file.
With FIM you try to keep a watch on files which when change can cause security issues or can be an indicator of an ongoing security breach.
This is required for many certifications such as PCI-DSS, HIPAA, etc. It is a way to make sure any unexpected changes in the system can be caught. This process of comparing files can run real-time, on particular fixed intervals or randomly.
How you can implement it?
I will talk about open source security tools that can be used to implement it. The name of the tool is Wazuh. It has a module that can be used to implement this feature.
Wazuh works on manager agent mode. You install a centralized manager and install the agents on the nodes that you want to keep watch on. Agents run a scan on regular intervals or as per configurations and post the updates to the manager.
Agents can be installed on any type of machine following the below documentation. Please note this has to be installed on the machine and cannot be deployed as a Kubernetes object till now.
Now you can install the manager on a machine following the below link.
Or you can install it using docker as per the documentation below.
You also have the option to install it on Kubernetes and can ask your agents to talk to managers on Kubernetes.
This was a very basic overview and installation steps for FIM. In our next article, we will take a look at how we can deploy this on Kubernetes.
It also has a way to integrate with Splunk and ELK [Elasticsearch logstash and Kibana] for visualization.
In our next article, I will try to implement FIM with the proper deployment of ELK stack.