Wazuh — File Integrity Monitoring
FIM provides a way to monitor and detect changes to critical system files or configuration files whenever they are modified, deleted, or created by a user or process.
This guide assumes you already have wazuh installed, incase you dont follow this article:
1. Setting up FIM on a Linux endpoint:
- To monitor a specific file or folder, follow these steps on the endpoint where the wazuh agent installed:
- Edit the configuration file
/var/ossec/etc/ossec.conf. - Add the directory of the file or folder within the
<syscheck>tag, between the<directories></directories>tags.
By default, the check frequency is every 12 hours. To increase the frequency, modify the value (in seconds) between the
<frequency></frequency>tags.
If you want to monitor a directory in real-time without changing the frequency, you can add the attribute realtime=”yes”.
Additionally, you can include the attribute report_changes=”yes” to include the changes made in the event.
Example:
<directories realtime="yes" report_changes="yes">/home/ritaj</directories>
Restart the Wazuh agent to apply any configuration change.
After the configuration is done, you can check the syscheck.diff field in the security events to see the reported changes.
- Who-data monitoring:
The who-data functionality allows the FIM module to obtain information about who made modifications to a monitored file.
The who-data monitoring functionality uses the Linux Audit subsystem to get information about who makes the changes in a monitored directory.
This functionality expands on the realtime attribute replacing it. This means that whodata is real-time monitoring with the who-data information added.
Example:
<directories check_all="yes" whodata="yes">/home/ritaj</directories>check_all: Enables the following check_* options;check_sum, check_sha1sum, check_md5sum, check_size, check_owner, check_group, check_perm.
The new fields added by whodata:
- To exclude a folder from being monitored:
Add the directory between the <ignore></ignore> tags.
Enabling Email Alerts:
Enabling email alerts is done on the wazuh manager.
Edit the config file /var/ossec/etc/ossec.conf on the wazuh manager, and fill the required fields:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>X</smtp_server>
<email_from>X@X</email_from>
<email_to>X@X</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>You can change the alert level of FIM if you want to change the email_alert_level from the above section.
- Follow these steps to change the FIM alert level:
From the wazuh manager:
cd /var/ossec/ruleset/rules/nano 0015-ossec_rules.xmlThe level is 7 by default:
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<mitre>
<id>T1565.001</id>
</mitre>
<group>syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2$
</rule>Restart the Wazuh agent to apply any configuration change.
2. Setting up FIM on a Windows endpoint:
The default configuration file of Wazuh, located at C:\Program Files (x86)\ossec-agent\ossec.conf, includes the following settings:
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\\SysNative</directories>
<directories recursion_level="0">%WINDIR%\\SysNative\\drivers\\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\\SysNative\\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\\SysNative\\WindowsPowerShell\\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\\SysNative</directories>When you set the recursion_level to a specific value, Wazuh will perform file integrity checks on files within that directory up to the specified recursion level. Here’s a breakdown:
- If
recursion_levelis set to 0, Wazuh will only monitor the files directly within the specified directory without checking its subdirectories. - If
recursion_levelis set to 1, Wazuh will monitor the files within the specified directory and its immediate subdirectories, but it will not go deeper into subsequent subdirectories. - If
recursion_levelis set to 2, Wazuh will monitor files within the specified directory, its immediate subdirectories, and their subdirectories, and so on, up to two levels deep.
You can also directly view/edit the config file from the Wazuh agent UI:View -> View Config
You can Restart the service from the Wazuh agent UI:Manage -> Restart
Example:
- Monitor the directory
C:\Users\rf.biri\Desktop:
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\rf.biri\Desktop</directories>Restart the Wazuh agent to apply any configuration change.
Example:
- Testing the
recursion_levelattribute:
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<directories recursion_level="2" check_all="yes" report_changes="yes" realtime="yes">C:\Users\rf.biri\Desktop</directories>Results:
