File Integrity Monitoring

File integrity monitoring (FIM) can be used to detect changes to files and directories. A file may be altered due to an update to a newer version, a security breach, or data corruption. File integrity monitoring helps an organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives.

  • PCI-DSS compliance - Payment Card Industry Data Security Standard (Requirement 11.5)

  • SOX compliance - Sarbanes-Oxley Act (Section 404)

  • NERC CIP compliance - NERC CIP Standard (CIP-010-2)

  • FISMA compliance - Federal Information Security Management Act (NIST SP800-53 Rev3)

  • HIPAA compliance - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66)

  • SANS compliance - SANS Critical Security Controls (Control 3)

NXLog can be configured to provide file (or Windows Registry) integrity monitoring. An event is generated for each detected modification. These events can then be used to generate alerts or be forwarded for storage and auditing.

There are various ways that monitoring can be implemented; these fall into two categories.

Checksum Monitoring

The im_fim and im_regmon modules (available with NXLog Enterprise Edition only) provide monitoring based on a cryptographic checksums. On the first run (when a file set or the registry is in a known secure state), a database of checksums is created. Subsequent scans are performed at regular intervals, and the checksums are compared. When a change is detected, an event is generated.

  • The im_fim module is platform independent, available on all platforms supported by NXLog, and has no external dependencies. Similarly, the im_regmon module requires no configuration outside of NXLog to monitor the Windows Registry.

  • If there are multiple changes between two scans, only the cumulative effect is logged. For example, if a file is deleted and a new file is created in its place before the next scan occurs, a single modification event will be generated.

  • It is not possible to detect which user made a change because the filesystem/registry does not provide that information, and there may be multiple changes by different users between scans.

Real-Time Monitoring

Files (and the Windows Registry) can also be monitored in real-time with the help of kernel-level auditing, which does not require periodic scanning. This type of monitoring is platform specific.

  • Kernel-level monitoring usually provides improved performance, especially for large file sets.

  • All events are logged; the granularity of reporting is not limited by the scan interval (because there is no scanning involved).

  • Reported events may be very detailed, and usually include information about which user made the change.

See the following sections for details about setting up file integrity monitoring on various platforms.

File integrity monitoring on Linux

Checksum monitoring on Linux can be configured with the im_fim module of NXLog.

NXLog must have permission to read the files that are to be monitored. Run NXLog as root, make sure the nxlog user or group has permission to read the files, or change the user/group under which NXLog runs. See the User and Group directives.

Example 1. Using im_fim on Linux

This configuration uses im_fim to monitor a common set of system directories containing configuration, executables, and libraries. The RIPEMD-160 hash function is selected and the scan interval is set to 3,600 seconds (1 hour).

nxlog.conf
<Input fim>
    Module          im_fim
    File            "/bin/*"
    File            "/etc/*"
    File            "/lib/*"
    File            "/opt/nxlog/bin/*"
    File            "/opt/nxlog/lib/*"
    File            "/sbin/*"
    File            "/usr/bin/*"
    File            "/usr/sbin/*"
    Exclude         "/etc/hosts.deny"
    Exclude         "/etc/mtab"
    Digest          rmd160
    Recursive       TRUE
    ScanInterval    3600
</Input>

NXLog will report scan activity in its internal log.

Internal Log
2017-06-14 11:44:53 INFO Module 'fim': FIM scan started
2017-06-14 11:45:00 INFO Module 'fim': FIM scan finished in 7.24 seconds. Scanned folders: 833 Scanned files: 5081 Read file bytes: 379166339
Output Sample
{
  "EventTime": "2017-06-14 11:57:33",
  "Hostname": "ubuntu-xenial",
  "EventType": "CHANGE",
  "Object": "FILE",
  "PrevFileName": "/etc/ld.so.cache",
  "PrevModificationTime": "2017-06-14 11:20:47",
  "FileName": "/etc/ld.so.cache",
  "ModificationTime": "2017-06-14 11:56:55",
  "PrevFileSize": 46298,
  "FileSize": 46971,
  "DigestName": "rmd160",
  "PrevDigest": "1dbe24a108c044153d8499f073274b7ad5507119",
  "Digest": "ec0bc108b7c9e5d9eafde9cb1407b91e618d24c4",
  "EventReceivedTime": "2017-06-14 11:57:33",
  "SourceModuleName": "fim",
  "SourceModuleType": "im_fim"
}

See the Linux Audit System chapter for details about setting up kernel-level auditing. It is even possible to combine the im_fim and im_linuxaudit modules for redundant monitoring.

File integrity monitoring on Windows

The im_fim module of NXLog can be used on Windows for monitoring a file set.

Example 2. Using im_fim on Windows

This configuration monitors the program directories for changes. The scan interval is set to 1,800 seconds (30 minutes). The events generated by NXLog are similar to those shown in Using im_fim on Linux.

nxlog.conf
<Input fim>
    Module          im_fim
    File            'C:\Program Files\*'
    File            'C:\Program Files (x86)\*'
    Exclude         'C:\Program Files\nxlog\data\*'
    Recursive       TRUE
    ScanInterval    1800
</Input>
Example 3. Using im_regmon on Windows

The Windows Registry can be monitored with the im_regmon module. This configuration monitors all registry keys in the specified path. The keys are scanned every 60 seconds.

nxlog.conf
<Input registry>
    Module          im_regmon
    RegValue        'HKLM\Software\Policies\*'
    Recursive       TRUE
    ScanInterval    60
</Input>

NXLog will report scan activity in its internal log.

Internal Log
2020-02-26 22:08:32 INFO Module 'in': Registry scan finished in 0.08 seconds. Scanned registry keys: 337 Scanned registry values: 1250 Read value bytes: 106866
Output Sample
{
  "EventTime": "2018-01-31 04:01:12",
  "Hostname": "WINAD",
  "EventType": "CHANGE",
  "RegistryValueName": "HKLM\\Software\\Policies\\Microsoft\\TPM\\OSManagedAuthLevel",
  "PrevValueSize": 4,
  "ValueSize": 4,
  "DigestName": "SHA1",
  "PrevDigest": "0aaf76f425c6e0f43a36197de768e67d9e035abb",
  "Digest": "3c585604e87f855973731fea83e21fab9392d2fc",
  "Severity": "WARNING",
  "SeverityValue": 3,
  "EventReceivedTime": "2018-01-31 04:01:12",
  "SourceModuleName": "registry",
  "SourceModuleType": "im_regmon",
  "MessageSourceAddress": "10.8.0.121"
}
Example 4. Extended Hive Key Paths to Monitor

The following example uses the im_regmon module to monitor a list of hive key paths listed in documents such as the MITRE ATT&CK framework and the JP/CERT Lateral Movements. This list can be modified as and when needed.

When running a custom list, make sure to double check the internal log for the appropriate number of keys and values that are being scanned.

nxlog.conf
<Input extend_regmon_rules>
    Module          im_regmon
    Recursive       TRUE
    ScanInterval    30

    RegValue "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*"
    RegValue "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
              File Execution Options\*"
    RegValue "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security\*"
    RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\*"
    RegValue "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute"
    RegValue "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Control
              Panel\NameSpace\*"
    RegValue "HKLM\SYSTEM\ControlSet001\Enum\STORAGE\VolumeSnapshot"
    RegValue "HKLM\SYSTEM\ControlSet001\Services\VSS\*"
    RegValue "HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce"
    RegValue "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\*"
    RegValue "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\*"
    RegValue "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\*"
    RegValue "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    RegValue "HKLM\Software\Policies\*"
</Input>
Real-time Monitoring on Windows

Real-time monitoring can be implemented with Windows security auditing (see Security auditing on Microsoft Docs). Sysmon also implements file and registry monitoring with a system service and device driver; see the Sysmon chapter. In both cases, the generated events can be collected from the Windows Event Log with the im_msvistalog module (see the Windows Event Log chapter).

Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 17 September 2018