What to watch with your FIM?
A few days ago, one of our readers posted a message in the general discussion forum about FIM (“File Integrity Management”) and, more precisely, which files/directories to monitor. Just a brief introduction for those who are not aware of File Integrity Monitoring: It's a security control that helps to validate the integrity of files present on a file system using a baseline of this system. The comparison with the baseline relies on file hashes but not only. Other file attributes can be monitored: the owner, access rights or the last modification time are good examples.
This control is implemented via processes and enforced with tools. Like most of information security tools, it's just… a dumb tool! The challenge is to configure it in the right way to increase your chances to detect a malicious activity. Available tools are delivered with baselines for standard environments but must be fine tuned to match your own requirements. I think that it’s a good idea to share and discuss some ideas on this topic: What do you monitor with your FIM?
Basically, they are two types of data that you can watch:
- “System” files - They will help you to detect if a server is compromised, if its configuration has been changed or if users are performing dangerous activities (like copying files or installing applications).
- “Data” files - Those are the files used by your “business".
In the second case, it’s impossible to build a list of interesting files. They depend on your business. Here are some examples where a FIM might be helpful:
- Logging changes on source repository (to track the developers tasks)
- Logging changes on sensitive department shares (HR, accounting, …)
- Logging changes on public resources (like web servers, FTP servers)
The implementation of a FIM has also side effects. A classic issue is patching systems. By replacing system files, patches can generate a huge amount of false positives. From a system perspective, here is a non-exhaustive list of files/directories to monitoring on UNIX/Windows systems:
For UNIX systems:
| /etc |
| /boot |
| /bin |
| /sbin |
| /usr/bin |
| /usr/sbin |
| /usr/local/etc |
| /usr/local/bin |
| /usr/local/sbin |
| /usr/local/etc |
| /opt |
| /var/opt |
| /lib |
| /usr/lib |
| /var/lib |
| /usr/local/lib |
| /lib64 |
Specific files can be monitored:
- Executables in /tmp ,/usr/local/tmp, /var/tmp
- Plain files in /dev
Others must be ignored (changing too often):
| /etc/mtab |
| /etc/hosts.deny |
| /etc/mail/statistics |
| /etc/random-seed |
| /etc/adjtime |
For Windows systems:
| %WINDIR%/win.ini |
|
%WINDIR%/system.ini
|
|
C:\autoexec.ba
|
| C:\boot.ini |
| %WINDIR%/System32 |
| %WINDIR%/regedit.exe |
| C:\Documents and Settings/All Users/Start Menu/Programs/Startup |
| C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup |
On Windows, the registry contains many useful locations that can also be monitored by most FIM:
| HKEY_LOCAL_MACHINE\Software\Classes\cmdfile |
| HKEY_LOCAL_MACHINE\Software\Classes\comfile |
| HKEY_LOCAL_MACHINE\Software\Classes\exefile |
| HKEY_LOCAL_MACHINE\Software\Classes\piffile |
| HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects |
| HKEY_LOCAL_MACHINE\Software\Classes\Directory |
| HKEY_LOCAL_MACHINE\Software\Classes\Folder |
| HKEY_LOCAL_MACHINE\Software\Classes\Protocols |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_LOCAL_MACHINE\Security |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components |
| HKEY_LOCAL_MACHINE\Security\Policy\Secrets |
| HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ |
The following one can be ignored (changing too often):
|
|
| C:\WINDOWS/Debug |
| C:\WINDOWS/WindowsUpdate.log |
| C:\WINDOWS/iis6.log |
| C:\WINDOWS/system32/wbem/Logs |
| C:\WINDOWS/system32/wbem/Repository |
| C:\WINDOWS/Prefetch |
| C:\WINDOWS/PCHEALTH/HELPCTR/DataColl |
| C:\WINDOWS/SoftwareDistribution |
| C:\WINDOWS/Temp |
| C:\WINDOWS/system32/config |
| C:\WINDOWS/system32/spool |
| C:\WINDOWS/system32/CatRoot |
And you? What are you monitoring? Please share your configurations and tips!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Join us at SANS!
Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Xavier Mertens in Amsterdam starting Aug 15 2022
×
![]()
Diary Archives
https://www.sans.edu
