What to watch with your FIM?
A few days ago, one of our readers posted a message in the general discussion forum about FIM (“File Integrity Management”) and, more precisely, which files/directories to monitor. Just a brief introduction for those who are not aware of File Integrity Monitoring: It's a security control that helps to validate the integrity of files present on a file system using a baseline of this system. The comparison with the baseline relies on file hashes but not only. Other file attributes can be monitored: the owner, access rights or the last modification time are good examples.
This control is implemented via processes and enforced with tools. Like most of information security tools, it's just… a dumb tool! The challenge is to configure it in the right way to increase your chances to detect a malicious activity. Available tools are delivered with baselines for standard environments but must be fine tuned to match your own requirements. I think that it’s a good idea to share and discuss some ideas on this topic: What do you monitor with your FIM?
Basically, they are two types of data that you can watch:
- “System” files - They will help you to detect if a server is compromised, if its configuration has been changed or if users are performing dangerous activities (like copying files or installing applications).
- “Data” files - Those are the files used by your “business".
In the second case, it’s impossible to build a list of interesting files. They depend on your business. Here are some examples where a FIM might be helpful:
- Logging changes on source repository (to track the developers tasks)
- Logging changes on sensitive department shares (HR, accounting, …)
- Logging changes on public resources (like web servers, FTP servers)
The implementation of a FIM has also side effects. A classic issue is patching systems. By replacing system files, patches can generate a huge amount of false positives. From a system perspective, here is a non-exhaustive list of files/directories to monitoring on UNIX/Windows systems:
For UNIX systems:
| /etc |
| /boot |
| /bin |
| /sbin |
| /usr/bin |
| /usr/sbin |
| /usr/local/etc |
| /usr/local/bin |
| /usr/local/sbin |
| /usr/local/etc |
| /opt |
| /var/opt |
| /lib |
| /usr/lib |
| /var/lib |
| /usr/local/lib |
| /lib64 |
Specific files can be monitored:
- Executables in /tmp ,/usr/local/tmp, /var/tmp
- Plain files in /dev
Others must be ignored (changing too often):
| /etc/mtab |
| /etc/hosts.deny |
| /etc/mail/statistics |
| /etc/random-seed |
| /etc/adjtime |
For Windows systems:
| %WINDIR%/win.ini |
|
%WINDIR%/system.ini
|
|
C:\autoexec.ba
|
| C:\boot.ini |
| %WINDIR%/System32 |
| %WINDIR%/regedit.exe |
| C:\Documents and Settings/All Users/Start Menu/Programs/Startup |
| C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup |
On Windows, the registry contains many useful locations that can also be monitored by most FIM:
| HKEY_LOCAL_MACHINE\Software\Classes\cmdfile |
| HKEY_LOCAL_MACHINE\Software\Classes\comfile |
| HKEY_LOCAL_MACHINE\Software\Classes\exefile |
| HKEY_LOCAL_MACHINE\Software\Classes\piffile |
| HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects |
| HKEY_LOCAL_MACHINE\Software\Classes\Directory |
| HKEY_LOCAL_MACHINE\Software\Classes\Folder |
| HKEY_LOCAL_MACHINE\Software\Classes\Protocols |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_LOCAL_MACHINE\Security |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components |
| HKEY_LOCAL_MACHINE\Security\Policy\Secrets |
| HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ |
The following one can be ignored (changing too often):
|
|
| C:\WINDOWS/Debug |
| C:\WINDOWS/WindowsUpdate.log |
| C:\WINDOWS/iis6.log |
| C:\WINDOWS/system32/wbem/Logs |
| C:\WINDOWS/system32/wbem/Repository |
| C:\WINDOWS/Prefetch |
| C:\WINDOWS/PCHEALTH/HELPCTR/DataColl |
| C:\WINDOWS/SoftwareDistribution |
| C:\WINDOWS/Temp |
| C:\WINDOWS/system32/config |
| C:\WINDOWS/system32/spool |
| C:\WINDOWS/system32/CatRoot |
And you? What are you monitoring? Please share your configurations and tips!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
My next class:
| Reverse-Engineering Malware: Advanced Code Analysis | Online | British Summer Time | Jul 28th - Aug 1st 2025 |
×
![modal content]()
Diary Archives
Comments
Anonymous
Mar 31st 2016
9 years ago
Anonymous
Mar 31st 2016
9 years ago
For FIM, before anything else, you need to determine if your chosen FIM solution can integrate with your change management solution for the purpose of reconciling detected changes against whether of not there is a valid change ticket for the server, time window and rule being examined.
If it doesn't have this, and if you don't make having this a priority from day one during your design and implementation plan, unless you are a very small shop, you will get buried under changes, and that malicious action you are hoping to detect will be forever lost in a sea of valid normal changes.
Trust me, I've seen it from both sides, and you want integration with your change management solution from day one.
Best of luck!
Anonymous
Apr 1st 2016
9 years ago
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
So I added that to my include list.
Anonymous
Apr 1st 2016
9 years ago