This chapter covers File Integrity Monitoring (FIM), a critical security control that detects unauthorized changes to files and system configurations. For the SY0-701 exam, FIM falls under Domain 4.0 (Security Operations), Objective 4.9: 'Given a scenario, implement and use appropriate controls to ensure asset integrity.' Understanding FIM is essential for compliance frameworks like PCI DSS and for detecting malware, ransomware, and insider threats that modify files. This chapter will explain how FIM works, its key components, deployment strategies, and how to interpret FIM alerts in a SOC environment.
Jump to a section
Imagine a museum housing priceless paintings. The security guard doesn't just watch the entrance; he has a photographic memory of every brushstroke on every canvas. Each night, he walks the gallery with his mental catalog, comparing each painting to his memory. If a painting has been subtly altered—a slightly different shade of blue, a missing brushstroke—he immediately notices and triggers an alarm. This is exactly how File Integrity Monitoring works. The guard's mental catalog is the baseline cryptographic hash (e.g., SHA-256) of each file. His nightly walk is the scheduled integrity scan. The alarm is the alert sent to the SIEM. Attackers might try to modify the guard's memory (replace the baseline), but if the baseline is stored offline or in a write-protected database, they can't. The guard also checks the frame for tampering (file permissions), not just the painting. This analogy highlights that FIM detects unauthorized changes by comparing current file state to a trusted baseline, just as the guard detects changes to the paintings by comparing to his trusted memory. The guard's effectiveness depends on the integrity of his memory—just as FIM depends on the integrity of the baseline.
What is File Integrity Monitoring (FIM)?
File Integrity Monitoring (FIM) is a security control that monitors and detects changes to files, directories, and system configurations. It creates a baseline of known-good file states (typically using cryptographic hashes) and periodically rechecks files to identify any deviations. FIM is a foundational control for compliance (e.g., PCI DSS Requirement 11.5) and for detecting unauthorized modifications, such as those made by malware, attackers, or insider threats.
How FIM Works Mechanically
The FIM process follows these steps: 1. Baseline Creation: During initial deployment, FIM scans designated files/directories and computes a cryptographic hash (e.g., SHA-256) for each file. It also records metadata like file size, permissions, and last modified timestamp. This baseline is stored in a secure, often immutable, database. 2. Scheduled Scanning: At regular intervals (e.g., hourly, daily), FIM rescans the same files and recomputes hashes. 3. Comparison: The new hashes are compared to the baseline. If any hash differs, or if metadata changes (e.g., permissions changed from 644 to 755), FIM generates an alert. 4. Alerting & Response: The alert is sent to a SIEM or SOC. Analysts investigate the change to determine if it was authorized (e.g., a software update) or unauthorized (e.g., malware modification).
Key Components and Variants
Agent-based FIM: Software installed on endpoints (e.g., OSSEC, Tripwire, Wazuh). Agents perform local scans and report to a central server.
Agentless FIM: Scans performed remotely via protocols like SSH, WMI, or SNMP. Common for network devices or cloud instances.
Kernel-level vs. User-level: Kernel-level FIM (e.g., Linux Auditd) monitors system calls for file modifications in real-time. User-level FIM (e.g., Tripwire) scans files periodically.
Integrity Measurement Architecture (IMA): A Linux kernel subsystem that measures file integrity at runtime and stores measurements in Trusted Platform Module (TPM) for attestation.
Standards and Compliance
PCI DSS v4.0 Requirement 11.5.1: 'Deploy a change-detection mechanism (e.g., file integrity monitoring) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.'
NIST SP 800-53 Rev. 5: Control SI-7 (Software, Firmware, and Integrity Verification) requires integrity verification tools.
CIS Benchmarks: Many benchmarks recommend FIM for critical files.
Attack Vectors and Countermeasures
Attackers may attempt to bypass FIM by: - Modifying the baseline: If the baseline database is writable, an attacker could replace hashes to match malicious files. Countermeasure: Store baseline on read-only media or in a database with strict access controls. - Disabling the FIM agent: Attackers may stop the agent service. Countermeasure: Use agent self-protection (e.g., Tripwire's kernel module) and monitor agent heartbeats. - Timing attacks: Attackers modify files between scans. Countermeasure: Use real-time FIM (e.g., Linux inotify, Windows Change Journal) or increase scan frequency. - Hash collision attacks: Though SHA-256 collisions are not feasible, older algorithms like MD5 or SHA-1 are vulnerable. Countermeasure: Use SHA-256 or stronger.
Real Command/Tool Examples
Linux: Using `sha256sum` to manually verify integrity
sha256sum /etc/passwd > baseline.txt
# Later:
sha256sum -c baseline.txtWazuh (Open Source FIM)
Configuration snippet for monitoring /etc:
<syscheck>
<directories check_all="yes">/etc</directories>
<frequency>3600</frequency>
</syscheck>Windows: Using `Get-FileHash` in PowerShell
Get-FileHash C:\Windows\System32\drivers\etc\hosts | Format-ListIntegration with SIEM
FIM tools typically forward alerts via syslog or API to SIEM platforms (e.g., Splunk, ELK). Alerts include:
File path
Old hash vs new hash
User or process that made the change
Timestamp
Challenges
False positives: Frequent authorized changes (e.g., log files, temporary files) can overwhelm analysts. Solution: Exclude known-changing files or use whitelisting.
Performance impact: Frequent scanning of large filesystems can degrade performance. Solution: Use real-time monitoring only for critical files.
Baseline drift: Over time, authorized updates change files; baselines must be updated. Solution: Implement a change management process to update baselines after approved changes.
Identify Critical Assets and Files
Begin by identifying which files and directories are critical to the organization's security posture. This includes operating system binaries (e.g., /bin, /usr/bin on Linux; C:\Windows\System32 on Windows), configuration files (e.g., /etc/passwd, /etc/shadow, registry hives), application binaries, web server content, and compliance-mandated files (e.g., PCI DSS cardholder data environments). Document the business justification for each monitored path to reduce noise.
Establish a Trusted Baseline
Deploy the FIM tool and perform an initial scan of the selected paths. The tool computes cryptographic hashes (typically SHA-256) and records metadata. This baseline must be captured from a known-good state, ideally immediately after a clean OS installation or after applying all authorized patches. Store the baseline in a secure, immutable location (e.g., a read-only database, separate server, or signed file). The baseline integrity is paramount; if compromised, all subsequent alerts are meaningless.
Configure Scan Frequency and Real-Time Monitoring
Set the scan interval based on risk and performance. Critical files (e.g., system binaries) may be monitored in real-time using kernel hooks (e.g., Linux inotify, Windows Change Journal). Non-critical files can be scanned hourly or daily. Ensure the scan schedule aligns with compliance requirements (e.g., PCI DSS requires at least weekly). Also configure exclusions for files that change frequently and legitimately (e.g., log files, temporary directories).
Integrate with SIEM and Define Alerting Rules
Configure the FIM tool to forward alerts to the SIEM (e.g., Splunk, ELK, Azure Sentinel). Each alert should include: file path, old and new hash, timestamp, and the user or process that triggered the change (if available). Define alert severity levels: Informational for authorized changes (e.g., patch updates), Warning for unexpected changes to non-critical files, and Critical for changes to system binaries or sensitive configuration files. Create correlation rules to detect patterns (e.g., multiple changes within a short timeframe).
Establish Incident Response Procedures for FIM Alerts
When an alert fires, the SOC analyst must determine if the change is authorized. Steps: (1) Check the change management system for a corresponding change request. (2) Verify the file's current hash against the baseline; if it matches, the alert may be a false positive due to baseline drift. (3) Use forensic tools to examine file metadata and timeline. (4) If unauthorized, isolate the affected system, preserve evidence, and initiate incident response. Common mistakes: ignoring alerts that coincide with patching cycles, or failing to update baselines after approved changes, leading to alert fatigue.
Scenario 1: Ransomware Detection
A SOC analyst receives a FIM alert from an endpoint protection platform indicating that multiple .docx files in a user's Documents folder have changed hashes within minutes. The analyst checks the SIEM and sees that the changes originated from a process named 'encryptor.exe' running from a temp directory. The analyst immediately isolates the endpoint using the EDR tool and initiates ransomware response procedures. The FIM alert was the first indicator of compromise, detected before the ransomware could encrypt network shares. The correct response was to act on the alert quickly; a common mistake would be to dismiss it as a false positive because the user was actively working on documents.
Scenario 2: Insider Threat Modification of a Configuration File
A FIM alert on a critical web server shows that the file /etc/httpd/conf/httpd.conf has been modified. The analyst checks the change management system and finds no corresponding ticket. Further investigation reveals that the change was made by a system administrator who added a redirect to a malicious site. The analyst escalates to the incident response team, and the administrator is interviewed. The FIM tool's logging showed the exact time and user account that made the change. The common mistake here would be to assume that all administrator actions are authorized; FIM provides the necessary audit trail to detect malicious insiders.
Scenario 3: Compliance Audit Preparation
A company undergoing a PCI DSS audit must demonstrate that FIM is in place for all cardholder data environments. The security team deploys a FIM solution scanning all servers handling credit card data. They configure weekly scans and store baselines in a write-protected database. During the audit, the assessor reviews FIM reports and verifies that alerts are being reviewed. The team shows a documented process for updating baselines after authorized changes. The common mistake is failing to update baselines after software updates, causing false positives that lead to alert fatigue and missed real threats.
What SY0-701 Tests on FIM
The exam focuses on the purpose and application of FIM as an integrity control. Key sub-objectives: (1) Understanding that FIM detects unauthorized changes to files and configurations. (2) Knowing that FIM uses cryptographic hashing (SHA-256 recommended) to create baselines. (3) Recognizing that FIM is required by compliance frameworks like PCI DSS. (4) Differentiating FIM from other controls like HIDS (which may include FIM but also monitors network traffic and system logs).
Common Wrong Answers and Why Candidates Choose Them
'FIM prevents malware infections' — Wrong. FIM detects changes after they occur; it does not prevent initial infection. Candidates confuse detection with prevention.
'FIM uses encryption to protect files' — Wrong. FIM uses hashing, not encryption. Hashing is one-way; encryption is reversible. Candidates mix up integrity and confidentiality.
'FIM is only for Windows systems' — Wrong. FIM is OS-agnostic; it works on Linux, macOS, and network devices. Candidates may associate FIM with Windows-only tools like Sysmon.
'FIM replaces antivirus' — Wrong. FIM and antivirus serve different purposes; antivirus detects known malware signatures, while FIM detects any unauthorized change. They are complementary.
Key Terms and Acronyms
Baseline: Known-good state of a file (hash + metadata).
Hash: Cryptographic digest (e.g., SHA-256, SHA-1, MD5).
PCI DSS: Payment Card Industry Data Security Standard, requires FIM.
Tripwire: Legacy FIM tool, often referenced in exam questions.
OSSEC: Open-source HIDS with FIM capabilities.
Wazuh: Fork of OSSEC, integrates with SIEM.
Trick Questions
'Which control detects unauthorized changes to configuration files?' Answer: FIM. But candidates might choose 'auditing' or 'logging'. Auditing records events but does not compare to a baseline; FIM specifically compares current state to a known good state.
'Which of the following is used to create a baseline for FIM?' Options: symmetric encryption, asymmetric encryption, hashing, digital signature. Answer: hashing. Candidates might pick digital signature, but digital signatures are used for authentication and non-repudiation, not for baseline comparison.
Decision Rule for Eliminating Wrong Answers
On scenario questions, if the question describes detecting changes to files or configurations, the answer is FIM. If the question describes preventing changes (e.g., using file permissions or ACLs), the answer is not FIM. If the question mentions 'comparing current state to a known good state', it's FIM. If it mentions 'recording who changed what', it's auditing.
FIM detects unauthorized file changes by comparing current cryptographic hashes to a trusted baseline.
The baseline must be stored in a secure, immutable location to prevent tampering.
Use SHA-256 or stronger hashing; avoid MD5 and SHA-1 due to collision vulnerabilities.
PCI DSS v4.0 Requirement 11.5.1 mandates FIM for critical files in cardholder data environments.
FIM is a detective control, not preventive; it detects changes after they occur.
Common FIM tools include Tripwire, OSSEC, Wazuh, and Windows File Server Resource Manager (FSRM).
Real-time FIM uses kernel-level monitoring (e.g., Linux inotify, Windows Change Journal).
FIM alerts should be correlated with change management records to reduce false positives.
FIM is often a component of a broader HIDS but is a distinct control focused on file integrity.
Attackers may try to disable FIM agents or modify baselines; use agent self-protection and access controls.
These come up on the exam all the time. Here's how to tell them apart.
File Integrity Monitoring (FIM)
Detects changes to files and configurations using baseline hashes
Focuses on file integrity only
Uses cryptographic hashing (e.g., SHA-256)
Generates alerts on hash mismatch
Example tools: Tripwire, OSSEC (FIM component), Wazuh
Host Intrusion Detection System (HIDS)
Detects a wider range of host-level intrusions (network connections, processes, logs)
Monitors system calls, network traffic, and file integrity
May use signature-based or anomaly-based detection
Generates alerts on suspicious behavior
Example tools: OSSEC (full HIDS), Snort (network-based), Suricata
Mistake
FIM can prevent file changes from occurring.
Correct
FIM is a detective control, not a preventive control. It detects changes after they happen. Prevention is achieved through permissions, access controls, and file system protections.
Mistake
FIM is only necessary for compliance, not security.
Correct
Mistake
Any hashing algorithm is suitable for FIM baselines.
Correct
Weak algorithms like MD5 and SHA-1 are vulnerable to collision attacks. The exam recommends SHA-256 or stronger for integrity verification.
Mistake
FIM generates too many false positives to be useful.
Correct
Proper configuration (exclusions, whitelisting, and change management integration) can reduce false positives. Without tuning, FIM can be noisy, but that is a configuration issue, not a flaw in the concept.
Mistake
FIM is the same as a host intrusion detection system (HIDS).
Correct
FIM is a component of HIDS, but HIDS is broader—it may also monitor system logs, network connections, and processes. Some HIDS tools include FIM, but FIM itself is specific to file integrity.
FIM is a subset of HIDS. HIDS (Host Intrusion Detection System) monitors multiple aspects of a host, including file integrity, system logs, network connections, and process behavior. FIM specifically focuses on detecting changes to files and directories by comparing hashes to a baseline. On the exam, if a question mentions 'monitoring file changes', the answer is FIM; if it mentions 'monitoring system calls and network connections', the broader answer is HIDS.
There is no universal frequency; it depends on risk and compliance. PCI DSS requires at least weekly scans. Critical systems may require hourly scans or real-time monitoring using kernel hooks. The exam may ask about 'weekly' scans as a PCI DSS requirement. For high-security environments, real-time FIM is recommended for critical files.
A baseline is a snapshot of the known-good state of a file or directory, including its cryptographic hash (e.g., SHA-256), file size, permissions, and timestamps. The baseline is created during initial deployment or after an authorized change. FIM compares current file attributes to the baseline to detect unauthorized modifications.
FIM primarily monitors files on disk. Fileless malware operates in memory and may not write files to disk, so traditional FIM may not detect it. However, some FIM tools can monitor registry changes or WMI persistence mechanisms. For fileless attacks, additional controls like endpoint detection and response (EDR) and memory analysis are needed.
MD5 is vulnerable to collision attacks, where two different inputs produce the same hash. An attacker could create a malicious file with the same MD5 hash as a legitimate file, bypassing FIM detection. SHA-256 is collision-resistant and is the current standard for integrity verification. The exam emphasizes using strong hashing algorithms like SHA-256.
First, verify if the change was authorized by checking the change management system. If authorized, update the baseline to reflect the new hash. If unauthorized, isolate the affected system, preserve evidence (file, logs), and initiate incident response. Document the investigation. A common mistake is to ignore alerts that coincide with patching cycles; always verify.
No, FIM should be applied to critical files and directories only. Monitoring all files would generate excessive noise and degrade performance. Focus on OS binaries, configuration files, application binaries, and compliance-mandated files. Exclude log files, temporary directories, and user data that changes frequently.
You've just covered File Integrity Monitoring (FIM) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?