File Integrity Monitoring (FIM) is an IT security control that monitors and detects file changes in computer systems. It helps organizations audit important files and system configurations by routinely scanning and verifying their integrity. Most information security standards mandate the use of FIM for businesses to ensure the integrity of their data.
IT security compliance involves adhering to applicable laws, policies, regulations, procedures, and standards issued by governments and regulatory bodies such as PCI DSS, ISO 27001, TSC, GDPR, and HIPAA. Failure to comply with these regulations can lead to severe consequences such as cyber breaches, confidential data loss, financial loss, and reputational damage. Therefore, organizations must prioritize adherence to IT regulations and standards to mitigate risks and safeguard their information systems effectively.
The rapid pace of technological advancement and a shortage of skilled cybersecurity professionals contribute to compliance difficulties. To effectively meet these regulations, businesses need to strategically plan, allocate resources to cybersecurity efforts, and thoroughly classify and protect their data assets.
Compliance with cybersecurity regulations and standards is important for businesses of all sizes. These regulations require implementing specific cybersecurity measures, policies, and processes. By adhering to these standards, organizations ensure the transparency and integrity of their cybersecurity practices. Some benefits include:
Wazuh is an open source security solution that offers unified XDR and SIEM protection across several platforms. It protects workloads across on-premises, virtualized, cloud-based, and containerized environments to provide organizations with an effective approach to cybersecurity. Wazuh offers file integrity monitoring (FIM) as one of its capabilities; it also provides other capabilities, such as security configuration assessment and threat detection and response.
The Wazuh FIM capability ensures the following:
FIM, combined with other Wazuh capabilities such as malware detection, vulnerability detection, and Security Configuration Assessment (SCA), enhances threat detection, investigation, and remediation. These capabilities can help streamline your organization’s security compliance efforts.
Users can configure file integrity monitoring to meet the requirements of IT security compliance standards relevant to their organization. The Wazuh FIM can be configured to monitor file addition, deletion, and modification to a file content.
Keeping track of file changes within the organization helps system administrators and security analysts have organization-wide visibility of these changes and tackle security incidents promptly. Once configured, FIM events can be viewed on the Wazuh dashboard.
The Wazuh FIM capability runs a baseline scan and stores the cryptographic checksum and other attributes of monitored files. When a change is made to a monitored file, the FIM compares its checksum and attributes to the baseline. If any discrepancy is identified, an alert will be triggered. Wazuh file integrity monitoring capability tracks details such as the process or user that modified a critical file and when the changes were made. Using the Wazuh FIM capability, organizations can ensure compliance with various sections of regulatory standards such as:
For example, we can configure the Wazuh FIM to monitor the SSH configuration file /etc/ssh/sshd_config file on a Linux endpoint. Malicious actors often target the SSH configuration file to weaken security by changing port numbers or disabling strong ciphers. The Wazuh FIM can detect unauthorized modifications by monitoring changes to this file. The following configuration on a Wazuh agent sets the Wazuh FIM capability to monitor the /etc/ssh/sshd_config file on a monitored endpoint:
<syscheck>
<directories>/etc/ssh/sshd_config</directories>
</syscheck>
The image below shows alerts triggered when alterations are made to the SSH configuration file.
Similarly, the /etc/ufw directory typically contains configuration files for UFW (Uncomplicated Firewall), a popular firewall application in Linux. These files define the rules determining which network traffic is allowed or blocked on your system. An attacker could modify the UFW rules to open ports typically closed by default, allowing unauthorized access to a system or internal network services.
We can configure the Wazuh FIM to monitor the /etc/ufw directory. This is configured by adding the configuration below in the agent configuration file on the monitored endpoint. We also enable the attribute whodata, which records the user that changes a monitored file.
<syscheck>
<directories whodata=”yes”>/etc/ufw</directories>
</syscheck>
The image below shows alerts triggered when alterations are made to the UFW rule files.
The Wazuh FIM capability lets you see the user and process initiating the change. The image below shows this information.
Wazuh provides file integrity monitoring capability to help achieve IT security compliance requirements and mitigate risks. Benefits of using the Wazuh FIM capability include:
Wazuh is an open source security platform that offers free unified XDR and SIEM protection across several platforms. Wazuh also offers complementary capabilities, such as vulnerability detection, security configuration assessment, malware detection, and file integrity monitoring (FIM). Its FIM capability assists organizations in complying with some cybersecurity regulations. The other capabilities also contribute to meeting cybersecurity regulatory compliance requirements, safeguarding an organization’s assets, and enhancing security posture.
Visit our website to learn more about Wazuh.