Configure FIM Properties for Windows Agent
By default, Lacework configures the Windows agent File Integrity Monitoring (FIM) feature with default settings. For example, Lacework monitors a set of default paths as well as excludes monitoring a set of default paths.
You can override the default settings using the filepath property (to include in monitoring) and fileignore property (to exclude from monitoring) in the config.json file.
This section describes the FIM properties supported by the Windows agent in the config.json file. For more information about File Integrity Monitoring, see the following topics:
note
- Ensure that you have administrator privileges to open the config.json file in a text editor.
- If you modify the config.json file, restart the Windows agent to enable the changes. For instructions, see Restart Windows Agent.
Understand FIM Syntax in the config.json File
All directories and files not part of the default settings that you want to monitor or ignore must be explicitly added to the config.json file. You can list directories or files.
The FIM properties must be specified within a single fim property in the config.json file, as shown in the following example:
"fim":
{
"filepath": [ "%SystemRoot%\\System32\\drivers", "C:\\hello4?.txt", "C:\\Windows\\A*" ],
"fileignore": [ "C:\\hello?.txt", "C:\\hello45.txt", "C:\\Windows\\AA*", "C:\\Windows\\Logs*" ]
}
note
Use double backslash (\\) when you specify Windows file paths. Double backslashes are necessary because the single backslash is an escape character in JSON files.
Monitor Entire Directory Except a Few Specific Files
If you want to monitor an entire directory and exclude specific files within the directory:
- List the directory to monitor in
filepath. - List the specific files to exclude in
fileignore.
Understand Empty Entries
Adding a blank "fim" entry as shown below has no effect on the default parameters.
"fim":{}
However, no files will be monitored if you add an empty filepath property as shown below, and no files will be excluded from monitoring if you add an empty fileignore property as shown below.
"fim":
{
"filepath":[],"fileignore":[]
}
Use of Wildcards
Use wildcards to efficiently specify complex sets of paths.
Example of the * wildcard
In this example, FIM monitors all files under C:\users\ folder that starts with the name foo. If the folder has foofile1.txt, foofile2.log, and nofoofile1.txt, FIM runs only on foofile1.txt and foofile2.log.
"filepath": ["C:\\users\\foo*"]
Example of the ? wildcard
In this example, FIM monitors all files under C:\users\ folder that starts with the name foo. If the folder has foo1file.txt, foo2file.txt, and foofile.txt, FIM runs only on foo1file.txt and foo2file.txt.
"filepath": ["C:\\users\\foo?file.txt"]
filepath Property
By default, Lacework monitors the following paths:
- Paths that are scanned recursively by default:
- C:\Program Files\
- C:\Program Files (x86)
- C:\Windows\System32\
- C:\Windows\SystemApps\
- C:\Windows\SysWOW64\
- C:\Windows\Microsoft.NET\
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- %Temp%
- Paths that are scanned non-recursively by default:
- C:\
- C:\Windows
You can override these default paths by specifying the filepath property in the config.json file.
"filepath": ["filepath1", "filepath2"...]
The filepath property supports the * and ? wildcards.
note
Specifying additional file paths may temporarily increase scan time, CPU, memory, and network resource usage.
Example of filepath Property
"filepath": ["C:\\users\\foo.txt", "C:\\data\\"]
This entry configures FIM to monitor C:\users\foo.txt and all files in C:\data\.
fileignore Property
By default, Lacework excludes monitoring a set of default paths. The list of default paths has been omitted for security reasons. Contact Lacework Support for more information.
You can override these ignored default paths by specifying the fileignore property in the config.json file.
"fileignore": ["filepath1, filepath2"...]
The fileignore property supports the * and ? wildcards.
Example of fileignore Property
"fileignore": ["C:\\backup\\"]
This entry configures FIM to ignore the C:\backup\ folder and all files in it.
runat Property
By default, Lacework runs the FIM scan at an undetermined time once per day. To control the start time of the daily FIM scan, specify the runat property and enter the start time as HH:MM in the config.json file.
"runat": "HH:MM"
Example of runat Property
"runat": "23:50"
This entry configures FIM to start scanning at 11:50 PM.
maxscanfiles Property
By default, Lacework runs the FIM scan on up to 500000 files. You can specify the maxscanfiles property in your config.json file to change the default. For example, to limit the FIM scan to 20000 files, specify:
"maxscanfiles": "20000"
mode Property
FIM is enabled by default on your host machine.
To disable FIM, specify the following in your config.json file:
"mode": "disable"
If FIM is disabled, you can enable it by deleting the following in your config.json file:
"mode": "disable"
noatime Property
The noatime property prevents atime from being used for metadata hash computation. The atime (access timestamp) is the last time a file was read. Someone used a program to display the contents of the file or read some values from it but nothing was edited or added to the file. Metadata is one of the dimensions of hash, used by the agent to determine if the file was changed. To prevent the use of atime, specify the following in your config.json file
"noatime": "true"