File Integrity Monitoring

File integrity monitoring (FIM) is a mechanism for validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. It is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.

The AlienVault Agent

AlienVault offers the lightweight AlienApp Agent as the recommended option for FIM. See the section on The AlienVault Agent to learn more about the agent.

For systems that don't have the AlienVault Agent installed, you can manually enable FIM inside the system.

Manual FIM Configuration Options

If you choose not to use the AlienApp Agent for FIM, you can manually configure FIM on your Linux or Windows system.

Manual FIM Configuration for Linux

For Linux systems that do not have the AlienVault Agent installed, you can enable FIM within USM Anywhere by configuring the osquery agent to monitor and track file changes on those systems. The osquery configuration file (typically named osquery.conf) contains the configuration options and queries that osquery uses when it runs. AlienVault provides a default configuration file that you can use to enable FIM for Linux systems in your USM Anywhere environment to identify system and software file changes and forward this information to the USM Anywhere Sensor.

For more information about installing and configuring osquery on your Linux systems, see Linux Log Collection with Osquery.

Manual FIM Configuration for Windows

For Windows systems that do not have the AlienVault Agent installed, you can use FIM to identify changes in system files, folders, and Microsoft Windows registries. To use FIM, you configure Windows systems so that USM Anywhere can view Windows audit object access events. To do so, you need to enable file auditing and update security policy settings. After applying policy changes to include audit object events in Windows security logs, NXLog will forward those events to the USM Anywhere Sensor.

See NXLog CE for Windows Hosts for detailed information about using NXLog to forward these events.