File Integrity Monitoring (FIM) in Wazuh: A Step-by-Step Guide
Why File Integrity Monitoring?
By keeping an eye out for and identifying unauthorized changes to files, File Integrity Monitoring (FIM) is essential for ensuring the security and integrity of a system. Let me give you some important factors:
- Unauthorized Changes Detection: To stop security breaches, FIM locates and notifies users when important system files are altered without authorization.
- Compliance Requirement: To comply with regulatory standards, like PCI DSS, HIPAA, and GDPR, FIM deployment is required.
- Insider Threat Mitigation: By keeping an eye on changes made by internal users, FIM helps find and deal with possible insider threats.
Step2: Go to Agents and click on Deploy new agent, as shown below.
Next, select an Operating system, enter your Wazuh Server address, and set your agent’s name as shown below.
In the end, you will get a PowerShell script and a command to start the Wazuh service from your agent, as shown below.
Next, go to your Windows 10 Machine and the script in your Powershell command prompt.
Next, start the Wazuh service.
Start Wazuh service
Finally, come back to your Wazuh platform and go to Agents; you should see your newly onboarded Windows agent here.
Step3: Enable File Integrity Module on Windows Machine
Well, the good news is that the File Integrity Monitoring (FIM) module is by default enabled on agents.
You can verify that checking the configuration file(ossec.conf) located at C:\Program Files (x86) \ossec-agent
You can also open the Wazuh agent GUI (win32ui file) located in the same folder. This is also called a Wazuh Agent Manager. Click on View> View Config
Now, scroll a little and look for <syscheck> with the comment File Integrity Monitoring. You should see the <disabled> tag is set to NO, meaning it’s enabled.
Windows FIM Use Cases
There can be tons of use cases when it comes to File Integrity Monitoring, however, in this newsletter, we will cover two important ones.
Use Case: Monitoring System32 folder to track malicious executable
The System32 area holds important system files, dynamic link libraries (DLLs), and executables that the Windows operating system needs to work properly.
Path: C:\Windows\System32
Why Temp folder?
- When malware gets into a system, it tries to set up persistence so that it can stay active and not be found. Malware can stay active for a long time by changing or removing files in System32. Users usually don’t notice these changes.
- Malware creators try to make their programs look like they are part of the system. Because it lives in the System32 area, malware can hide among real system files, making it harder for regular security measures to find.
Let’s have our Wazuh agent keep track of System32 files.
Step1: Add temp folder in <directories> tag
Go to Wazuh Agent Manager. Click on View> View Config and edit the <syscheck> block as shown below
Step2: Restart the agent
Under the Manager tab of the Wazuh agent manager. Click the Restart option.
Step3: Visualize the alert
Add any random file to the folder C:\Windows\System32 Next come to the Wazuh > Security Alerts, you should see the alert as shown below.
