File integrity monitoring

In this PoC, the Wazuh File Integrity Monitoring (FIM) system watches for modifying files in the monitored directories. Then FIM triggers alerts when these files are modified. Additionally, it enriches alert data by fetching information about the user who made the changes and the process at play.

See the File integrity monitoring section of our documentation for more information about FIM functionality and configuration.

Configuration

Configure your environment as follows to test the PoC.

  1. Edit /var/ossec/etc/ossec.conf in the monitored Ubuntu 20 endpoint and enable whodata by adding whodata="yes" to the monitored directories.

    <syscheck>
        <directories check_all="yes" whodata="yes">/usr/bin,/usr/sbin</directories>
        <directories check_all="yes" whodata="yes">/bin,/sbin,/boot</directories>
        <directories check_all="yes" report_changes="yes" whodata="yes" tags="cron">/etc/cron*</directories>
        <directories check_all="yes" report_changes="yes" whodata="yes" recursion_level="2">/home,/root</directories>
    </syscheck>
    
  2. Restart the Linux Wazuh agent to apply the configuration changes.

    # systemctl restart wazuh-agent
    
  3. Edit C:\Program Files (x86)\ossec-agent\ossec.conf in the monitored Windows endpoint and add directories for monitoring including the whodata="yes" switch.

    <syscheck>
        <scan_on_start>yes</scan_on_start>
        <directories check_all="yes" report_changes="yes" whodata="yes">C:\\Users\\Administrator\\Desktop</directories>
        <directories check_all="yes" report_changes="yes" whodata="yes">C:\\Wazuh</directories>
    </syscheck>
    
  4. Restart the Windows Wazuh agent to apply the configuration changes using the UI.

As an alternative to local configurations, you can centrally configure groups of agents.

Steps to generate the alerts

  1. Create, remove, or modify a file in the monitored directories.

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • syscheck.path: "{path_to_the_modified_file}"