What is File Integrity Monitoring and how to implement it?

When you talk about security in your systems, there is this component that will come again and again. This component is FIL or File Integrity Monitoring. Whether you are trying to get a PCI DSS certification or normally increasing security to the next level you have to take this in mind.

FIM or File Integrity Monitoring

This is a process of monitoring the state of the operating system and files by comparing it with a known good base-line to verify the changes that are done.

It uses a method called a checksum. The checksum is calculated of the files that are present and is compared with the known good baseline of file.

With FIM you try to keep a watch on files which when change can cause security issues or can be an indicator of an ongoing security breach.

This is required for many certifications such as PCI-DSS, HIPAA, etc. It is a way to make sure any unexpected changes in the system can be caught. This process of comparing files can run real-time, on particular fixed intervals or randomly.

What is File Integrity Monitoring and how to implement it?

How you can implement it?

I will talk about open source security tools that can be used to implement it. The name of the tool is Wazuh. It has a module that can be used to implement this feature.

Wazuh works on manager agent mode. You install a centralized manager and install the agents on the nodes that you want to keep watch on. Agents run a scan on regular intervals or as per configurations and post the updates to the manager.

Agents

Agents can be installed on any type of machine following the below documentation. Please note this has to be installed on the machine and cannot be deployed as a Kubernetes object till now.

https://documentation.wazuh.com/3.13/installation-guide/installing-wazuh-agent/

Manager

Normal Installation

Now you can install the manager on a machine following the below link.

https://documentation.wazuh.com/3.13/installation-guide/installing-wazuh-manager/index.html

Docker Installation

Or you can install it using docker as per the documentation below.

https://documentation.wazuh.com/3.13/docker/index.html

Kubernetes Installation

You also have the option to install it on Kubernetes and can ask your agents to talk to managers on Kubernetes.

https://documentation.wazuh.com/3.13/deploying-with-kubernetes/index.html

This was a very basic overview and installation steps for FIM. In our next article, we will take a look at how we can deploy this on Kubernetes.

It also has a way to integrate with Splunk and ELK [Elasticsearch logstash and Kibana] for visualization.

In our next article, I will try to implement FIM with the proper deployment of ELK stack.


Gaurav Yadav

Gaurav is cloud infrastructure engineer and a full stack web developer and blogger. Sportsperson by heart and loves football. Scale is something he loves to work for and always keen to learn new tech. Experienced with CI/CD, distributed cloud infrastructure, build systems and lot of SRE Stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Are you preparing for DevOps and SRE Interview?

Here is a book for you.


Interview preparation and interview questions for DevOps and SRE






A good reads for last-minute preparations for handling DevOps and SRE interviews at companies like LinkedIn, Visa, Atlassian, etc.