File Integrity Monitoring (FIM) With Atomic OSSEC – Watch the Demo Video - Atomicorp

File Integrity Monitoring (FIM) With Atomic OSSEC – Watch the Demo Video

Posted on July 31, 2024 by sshinn

By Scott Shinn

A file integrity monitoring (FIM) system performs the crucial role of detecting system and file changes and determining the who, what, and where. FIM is a requirement of many security and privacy system integrity (SI) standards and regulations and an early warning system for when an intruder or malware strikes.

File integrity monitoring (FIM) is the ability to detect changes and report who made those changes in the environment. The following video demonstrates a proactive intrusion detection system powered by advanced FIM that reaches across server and desktop operating systems, and cloud and container environments to protect systems, files, and data from intrusion and malware.

For the full story, watch the video on the Atomic FIM page.

In the video demonstration, I am using a Linux system, but we can also put Atomic OSSEC agents with file integrity monitoring on other platforms such as AIX, Windows, and in some cases we can also do it over a network connection without an agent.

The UI includes a standard directory of what you’ll want to monitor, and you can configure it to watch endpoint components in three different ways using three settings.

Real-Time FIM

The first setting is real-time FIM, and with this you can detect changes as they happen. This is not a timer-based model, this is a real-time model. That means when a change happens the FIM can detect it in a millisecond and alert you to file intrusion.

Schedule a personal demo, or watch the video where we detect changes to a Linux operating system as they occur. Visit the Atomicorp file integrity monitoring (FIM) page.

FIM Reporting

Reporting basically means track changes. Think of this as a real-time backup system in which backup copies of altered files are made. Atomic OSSEC FIM reporting enables you to see what changed and have copies of before and after.

FIM: A Leading Role in ‘Who Done It’

The ‘Who’ setting category means exactly that: it tells us who did it, what did it, what was the parent process and where the change was run from. All of these things add together to detect what changed in your ecosystem, because as many data points as possible are needed to determine whether or not the change was legitimate.

See Atomic OSSEC FIM and intrusion protection in action.

The system also provides a user interface to support a variety of other capabilities.

Manage FIM centrally. From a central management UI, direct agents to watch all of your directories.
Get an alert. FIM is more alert-oriented than file activity monitoring. FIM is also broader, and scans system files, workstations, databases, operating systems, analyzes and generates alerts.
Select to ignore something that is a known false positive, or configure additional alerts.
See what changed using the UI . . . or look at it in the front end, where you can filter and run through all of the actions.
Capture a new file that has been added to the system, showing the who data (see Figure 1).
Detect a swap or .swp file being deleted, and view it.

Figure 1. FIM Event Detail

The FIM Event Detail includes:

What changed
Change attributes, such as differences in file size
Where the change was run or initiated from
The parent process ID
The process names—for example, sudo
The user name
And, of course, helpful file comparisons of what was the hash before and what was the hash after.

Command Line FIM

If you move to the command line, we can see this file integrity monitoring (FIM) running live.

You can also see malware being detected in the background. It’s malware memory analysis that is not a processing hog; the analysis is performed on a hub server. And the view actually shows me changes to the lines in the file (see Figure 2).

Figure 2. Command Line FIM

We render in human-readable and also a JSON format. And you can ingest this data into our Atomic OSSEC detection and response solution, and can also use it in our Atomic Protector SIEM or another SIEM platform like OpenSearch or Splunk.

Learn more about us at Atomicorp.com.

FIM for PCI DSS, CIS, NIST 800-53 SI-7, and Other Standards and Regulations

The file integrity monitoring (FIM) in Atomic OSSEC is a crucial part of meeting regulatory requirements and standards. FIM is a requirement vs. a need. CIS, PCI-DSS, NIST, and FISMA frameworks and regulations require file integrity monitoring explicitly. To meet HIPAA and GDPR performance requirements, you’ll need FIM, too.

Find out why organizations and federal agencies trust Atomic OSSEC file integrity monitoring.

Schedule a live demo.

Atomic Products For Workload Security and Compliance

Built on the open source foundation of OSSEC, Atomicorp offers comprehensive host intrusion detection, attack protection and compliance all in a single unified platform that runs anywhere.

Atomicorp protects critical workloads in the cloud, the data center and in hybrid environments.

Learn More