File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place. File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.
Companies can leverage the control to supervise static files for suspicious modifications such as adjustments to their IP stack and email client configuration. As such, FIM is useful for detecting malware as well as achieving compliance with regulations like the Payment Card Industry Data Security Standard (PCI DSS).
FIM is important for Windows-based environments as well as for Linux and Unix systems. Windows uses the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area. In Linux and Unix environments, configurations are much more exposed as part of the overall file system. This makes Linux and Unix more vulnerable to direct attacks and hacked binary executables. Updating and replacing core files in Linux or Unix means that attackers can easily inject malicious code.
File integrity monitoring examines various aspects of a file to create a “digital fingerprint.” It then compares this fingerprint to a known, good baseline fingerprint. While native auditing tools exist, these generally all suffer from shortcomings, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, to name few. For these reasons, organizations with moderately to highly complex IT environments generally rely on proven enterprise solutions.
FIM can be carried out on a continual, snapshot, or regular basis. It can happen randomly, or to any other rules that the security team sets up.