IT engineer standing before server rack

Implementing File Integrity Monitoring With Wazuh

File integrity monitoring refers to the process of monitoring files and folders in a system to identify file modification, creation, or deletion. It is important to monitor changes to sensitive files because some changes might be made by unauthorized actors trying to modify these files. An example is the modification of financial records files to hide evidence of fraudulent acts.

Reasons for implementing file integrity monitoring
By using file integrity monitoring tools, it is possible to audit changes made to monitored files and directories on endpoints. This helps concerned stakeholders determine if the changes are authorized and non-malicious. Below are some reasons for implementing file integrity monitoring:

  • Data integrity: It is important to ensure that sensitive organizational data can be relied on. This means that the stored data is not modified or deleted without appropriate approval.
  • Regulatory compliance: Various compliance standards and frameworks require the implementation of file integrity monitoring. For example, PCI DSS requires that a change detection mechanism be used to detect and alert when unauthorized changes are made to critical system files, configuration files, or content files.
  • Improved organizational security: A large number of security breaches that occur are the result of the misconfiguration of services and protocols. In many instances, the configuration of an application or service is saved to a configuration file (for example, the .env file in some web applications and the sshd_config file for the SSH service on Linux-based endpoints). Monitoring this configuration file for changes allows the organization to detect when any change that potentially impacts its security posture is made.

Given that file integrity monitoring is an integral part of the security of an organization, it is necessary to consider the scalability, integration with other security solutions, and reporting capabilities of any FIM tool under evaluation.

The Wazuh solution

Wazuh is an open source security platform with unified XDR and SIEM protection for endpoints and cloud workloads. Multi-platform Wazuh agents are deployed on endpoints for security data collection, threat detection, and response. The Wazuh server analyzes data collected from the agents and other agentless devices. It can be deployed using the Wazuh cloud solution or on-premises.

The Wazuh platform is vendor agnostic; thus, it does not lock in organizations, and it allows integrations and customizations with other security solutions. Wazuh has various capabilities such as endpoint security, file integrity monitoring, threat intelligence, and security operations. In addition, it has a fast growing open source security community and exceeds 10 million yearly downloads.

The Wazuh file integrity monitoring module

The Wazuh File Integrity Monitoring (FIM) module is a component of the Wazuh agent that monitors an endpoint filesystem and generates alerts when files are changed. The Wazuh FIM module stores the cryptographic checksum and other attributes of the monitored asset to detect when there is a change in those values. Below are some features of the Wazuh FIM module:

Real-time monitoring

The Wazuh FIM module can monitor files in real time and generate alerts immediately after the cryptographic checksum or other attributes of the monitored asset change. This feature is particularly useful in maintaining the integrity of security configuration files. For example, if the sshd_config file of a critical server is monitored in real-time, an alert is generated immediately after a change is detected. This alert can be reviewed to determine how the changes made impact organizational security.

Periodic monitoring

The Wazuh FIM module can perform periodic checks on predetermined files, then compare the results of their present cryptographic checksum and other attributes against the stored values of their last checksum and attributes. An alert will be generated when any changes are identified between the present and past values of the monitored asset. Periodic monitoring is helpful in instances where the contents of a file have to be kept consistent over a period of time.

Audit data

The Wazuh FIM module leverages internal audit tools like the Linux Audit subsystem and the Microsoft Windows SACL to determine the user who made the changes and the program that was utilized. This is useful in maintaining accountability and validating if changes made to monitored assets were authorized and performed using approved processes.

Integrations with other tools

Since Wazuh is a SIEM and XDR platform, file integrity monitoring alerts can easily be managed and triaged with other security operations. This allows for unified security event management. Additionally, since Wazuh is open source and vendor agnostic, it supports integrations with other security solutions. For example, Wazuh alerts can be shipped to TheHive for case management.

Reporting

The Wazuh dashboard can generate reports of file integrity audit events, such as users making file changes and endpoints where these changes occurred. These reports are useful for presenting the state of files being monitored and their possible impact on security.

Conclusion

File integrity monitoring is an essential aspect of organizational security. It can improve the security posture of an organization by auditing file changes on monitored endpoints. This allows relevant individuals to determine if changes made are authorized and non-malicious.

With more than 10 million annual downloads and a large support community, Wazuh stands out as a free open source tool with SIEM and XDR capabilities. Additionally, due to its open source nature, it integrates with many other security solutions.

 

Staff Writer at CPO Magazine