File Integrity Monitoring (FIM) FAQs
For more information about File Integrity Monitoring, see the following topics:
How does FIM work?
FIM monitors a predefined set of files and directories at a periodic interval. FIM identifies new, changed, malicious, and non-package installed files.
How does FIM alert?
FIM creates an event for known malicious files. You can configure custom FIM policies to generate events for your specific requirements. For more information, see Create Custom Policies.
What does FIM monitor?
FIM runs periodically depending on the configured frequency (default once a day) and monitors a predefined list of directories and files and all processes that were active when FIM was running.
What files/paths are included in the predefined list?
By default, Lacework monitors a set of default paths and files. The list of default paths and files has been omitted for security reasons. Contact Lacework Support for more information.
You can optionally override these default paths and files using the filepath
property. For information about changing this property, see File Integrity Monitoring (FIM) Properties.
What files does FIM ignore?
By default, Lacework excludes monitoring a set of default paths and files. The list of default paths and files has been omitted for security reasons. Contact Lacework Support for more information.
You can optionally override these default non-monitored paths using the fileignore
property. For more information about changing this property, see File Integrity Monitoring (FIM) Properties.
What is the FIM scan interval?
The default is one scan per day. The interval was chosen to balance feature need versus CPU, memory, and disk IO cost.
What kind of load is normal for the device, both the baseline and post-baseline monitoring?
The load depends on the number of files. The feature includes a throttling mechanism to ensure that it does not consume excessive CPU, memory, and disk I/O resources for an extended period of time.
What should I expect once I configure custom directories and files for FIM?
You should expect FIM to monitor the custom configured directories and files once a day. The default directories and files will no longer be monitored.
How often does FIM send alerts?
The alerts are sent through the normal Lacework alerting model in the Lacework Console or through external integrations. The alerts are generated when the files are checked and sent once a day for the configured directories and once an hour for files associated with processes making long-running connections.
Are there any files that FIM currently does not monitor?
It monitors all the files in a directory specified using the
filepath
property and ignores files that are specified in the fileignore
property.How does FIM work with processes that make connections?
FIM monitors the binary associated with processes that make long-running network connections.
What are the files that FIM provides visibility for?
FIM provides visibility into new and changed files, files with multiple executables, files installed without packages, and malicious files.
How are malicious files identified?
Lacework partners with a 3rd party to compare the SHA256 file hash to a list of known, malicious file hashes.
Can I set the time when the daily FIM scan runs?
Yes, you can use the
runat
property to set the start time of the daily FIM scan in the HH:MM format as shown in the following example. The runat
property must be specified within a single fim
property."fim":
{
"runat": "23:50"
}
Can I configure the frequency of the scans?
Yes, you can configure the scan frequency. The default scan interval is once a day. The interval was chosen to balance feature need versus CPU, memory, and disk IO bandwidth cost.
Can I limit the CPU usage for the FIM?
The Lacework agent automatically throttles CPU, memory, and disk IO. The limits are configurable, but Lacework does not recommend changing them without assistance from Lacework Support.
If a user specifies filepath and fileignore in the config.json file, are the default directories included or excluded?
The default configuration is ignored; it is not a merge operation.
Why does Lacework include paths such as /var/log/messages
which are constantly changing as default directories?
HIPAA and PCI requirements include monitoring log file changes because they want to ensure that these files are only appended and not overwritten.
On the dashboard, there are many results of FIM changes. Won’t adding directories that change constantly decrease the value of the FIM dossier because there are so many events to filter through?
You can customize the directories that you want to monitor. Custom policies enable you to receive alerts for the files that really matter to your organization. For details, see Create Custom Policies and View and Configure Platform Alerts.
What is the increased load for each added custom FIM directory?
The exact load depends on the number and size of files in the directories being monitored.
What kind of data from each file does FIM monitor and what is sent to Lacework?
Lacework does not look inside file contents and only sends the metadata and file hash.
Is any customer-specific data sent to Lacework?
The file contents are not examined by FIM or sent to Lacework.
How does Lacework choose the default directories and files to monitor?
Lacework reviewed the common directories used by multiple open source FIM solutions to define the list of default directories and files.
Is there a memory consumption baseline? If new directories are added to the config.json file, what increases in memory consumption are expected?
There is a baseline that is stored in VM, which is updated when new directories are added or removed. There is no fixed cost. Memory consumption depends on the number of files and directories being monitored. To avoid excessive resource usage, Lacework has a throttling mechanism as described earlier.
Do FIM filepath/fileignore
changes in the config.json file require an agent restart to take effect?
No, changes to the
config.json
file are automatically read by the agent and do not require an agent restart to take effect.How long should I expect until FIM reports an added directory or file?
The FIM scan is run once per day, so the time until you see a change depends on the time of the last scan.
Can I use wildcards when configuring FIM in the config.json file?
The * wildcard is supported when specifying the filepath and fileignore properties. For instructions on changing the default paths using the config.json file, see File Integrity Monitoring (FIM) Properties.
Are directory paths recursive? For example, if /etc
is included in the config.json file, will the FIM scan include /etc/nginx
?
Yes, FIM directory configuration is recursive.