Configuration file
Table of contents
Configure File Integrity Monitor
If you want to customize your installation and monitor custom folders in addition to the given ones. It is required to edit the config.yml
file located at C:\Program Files\File Integrity Monitor\config.yml
(Windows systems) or /etc/fim/config.yml
(Unix systems).
In the following sections, you could review each section and parameters to tune up your configuration as you require.
Advanced
The tag
Advanced
mentions parameters that could affect the FIM function, and it could break something. Be sure before changing some of these options.
Parameters
node
String
Default value: FIM
.
Define the event producer’s name.
This parameter will come on each event produced by the process.
-
events
Section
Handle event output parameters.
String
Default value:
Recommended
.Select the watcher type used to detect the events. Recommended will use the suggested watcher for each system. The poll option will use polling to get event changes (Recommended for Fargate/ECS/EKS environments).
The supported options are [Recommended, Poll].
String
Default value:
file
.It defines the destination of the events.
The supported options are [file, network, both].
String
Default value:
C:\ProgramData\fim\events.json
for Windows systems,/var/lib/fim/events.json
for Unix systems.Defines where the events will be stored.
It receives a system path, ex:
C:\Users\events.json
(Windows systems) or\home\events.json
(Unix systems).Integer
Advanced
Default value:
64
.Defines the maximum size of the file to get its hash (checksum) in megabytes.
To speed up hashing, decrease this value, minimum value
1
, and maximum value128
, more than that will increase the event processing time and CPU consumption.Integer
Advanced
Default value:
128
.Defines the maximum size of
events.json
file before being rotated.we recommend to maintain this value as default. Increasing it will allow to rotate the file less times. Decreasing it will increase the rotations of the file.
-
endpoint
Section
Handle network parameters.
String
Default value:
None
.It defines the IP/DNS of indexer software currently supported by indexers ElasticSearch, OpenSearch and Wazuh-indexer.
Format example:
0.0.0.0
for IP,indexer.example.com
for DNS.Boolean
Default value:
false
.It defines the trust of HTTPS certificates of the indexer endpoint.
-
credentials
Section
Handle endpoint access credentials. For ElasticSearch/OpenSearch FIM requires
user
andpassword
parameters. For Splunk FIM requires onlytoken
parameter.String
Default value:
None
.Defines the username credential to push events into the indexer endpoint.
String
Default value:
None
.Defines the password credential to push events into the indexer endpoint.
String
Default value:
None
.Store the Splunk HTTP event collector token to push events to Splunk indexer endpoint.
-
-
-
audit
Section
Keeps a list of files or directories to monitor. This section will use the Audit daemon engine with enhanced information.
Include as many elements as you require.
-
path
String
It defines the directory or files to monitor. It applies recursion.
Array
String
Allows to ignore files that match the given string inside its name.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Set the allowed strings to trigger events, events in this path will trigger if the file contains any of configured strings.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Set the excluded folders inside the Audit path given. Set a path outside of the Audit parent path will produce unexpected behaviour.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Allows to define custom labels on each event produced at the given path.
String
Default value:
wax
.Allows to define custom Audit rule at the given path.
-
The
rule
parameter support the following characters in any order:
r
orR
, enable read events at the given path.w
orW
, enable write events at the given path.a
orA
, enable attributes change events at the given path.x
orX
, enable execution of code events at the given path.Examples of the format:
rwax
, to detect all kind of events (It could be noisy).wax
, default value to detect write, attribute change and execution.w
, value to detect directory write changes.
-
monitor
Section
Keeps a list of files or directories to monitor.
Include as many elements as you require.
-
path
String
It defines the directory or files to monitor. It applies recursion.
Array
String
Allows to ignore files that match the given string inside its name.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Set the allowed strings to trigger events, events in this path will trigger if the file contains any of configured strings.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Set the excluded folders inside the Monitor path given. Set a path outside of the Monitor parent path will produce unexpected behaviour.
Available formats Array or List. Consult the note at the end of the section.
Array
String
Allows to define custom labels on each event produced at the given path.
-
-
hashscanner
Section
Defines the current behaviour of file hash scans.
Hash scanner will take your primary engine config paths to be scanned. If you only have Audit paths defined Hash scanner will scan over those paths. If you only have Monitor paths defined Hash scanner will scan monitor section defined paths. If both engines are defined Hash scanner will select Audit (as usually is the critical one).
String
Default value:
C:\ProgramData\fim\fim.db
for Windows systems,/var/lib/fim/fim.db
for Unix systems.Defines where the hash database will be stored.
It receives a system path, ex:
C:\Users\events.json
(Windows systems) or\home\events.json
(Unix systems).Boolean
Default value:
true
.It defines whether the hash scanner thread starts or not.
Integer
Advanced
Default value:
60
.Defines the window interval to run hash scans, hashscanner thread will sleep the defined interval.
To speed up scans, decrease this value, minimum value
5
(not recommended for bigger paths more than 5.000 files), and suggested as maximum value1440
(24h), more than that will introduce security risks. This scan is not intended for real-time analysis for that matter you should use Monitor or Audit engine.String
Default value:
Sha256
.Allows to define hashing algoritmh applied to each file.
The
algorithm
parameter support the following values:
Sha224
orsha224
orSHA224
or224
, use Sha224 as hashing algorithm.Sha256
orsha256
orSHA256
or256
, use Sha256 as hashing algorithm.Sha384
orsha384
orSHA384
or384
, use Sha384 as hashing algorithm.Sha512
orsha512
orSHA512
or512
, use Sha512 as hashing algorithm.Keccak224
orkeccak224
orKECCAK224
orK224
, use Keccak224 as hashing algorithm.Keccak256
orkeccak256
orKECCAK256
orK256
, use Keccak256 as hashing algorithm.Keccak384
orkeccak384
orKECCAK384
orK384
, use Keccak384 as hashing algorithm.Keccak512
orkeccak512
orKECCAK512
orK512
, use Keccak512 as hashing algorithm.If
algorithm
is changed after FIM first scan (fim.db
file is present) you should removefim.db
file to avoid false positive events.Take into account that increasing the hash algorithm could lead to higher scan times so keep in mind the relation between interval and algorithm.
-
log
Section
It Keeps the configuration of logging output.
String
Default value:
C:\ProgramData\fim\fim.log
for Windows systems,/var/log/fim/fim.log
for Unix systems.Defines where the logs are stored.
String
Default value
info
.Defines the level of verbosity logged to the log file.
The supported options are [debug, info, error and warning].
Integer
Advanced
Default value:
64
.Defines the maximum size of
fim.log
file before being rotated.we recommend to maintain this value as default. Increasing it will allow to rotate the file less times. Decreasing it will increase the rotations of the file.
The
ignore
,allowed
andexclude
parameters has two different formats:- path: /tmp/dir ignore: [.txt, .tmp]
Or list variant:
- path: /tmp/dir ignore: - .txt - .tmp
The
labels
parameter has two different formats:- path: /tmp/dir labels: ["temp", "linux"]
Or list variant:
- path: /tmp/dir labels: - temp - linux
Example configuration
FIM comes with a ready-to-use configuration. You can tune up as you wish. Here you can see an example configuration:
Windows systems:
node: "FIM"
# Events configuration, where to store produced events
events:
watcher: Recommended
destination: both
file: C:\ProgramData\fim\events.json
max_file_checksum: 64
endpoint:
address: "https://127.0.0.1:9200"
insecure: true
credentials:
user: "admin"
password: "admin"
# Monitor folder or files.
monitor:
- path: C:\Program Files\
labels: ["Program Files", "windows"]
- path: C:\Users\
labels: ["Users", "windows"]
allowed: [".txt", ".doc"]
exclude:
- C:\Users\Temp
# App procedure and errors logging
log:
file: C:\ProgramData\fim\fim.log
# Available levels [debug, info, error, warning]
level: info
Linux systems:
node: "FIM"
# Events configuration, where to store produced events
events:
watcher: Recommended
destination: both
file: /var/lib/fim/events.json
max_file_checksum: 64
endpoint:
address: "https://127.0.0.1:9200"
insecure: true
credentials:
user: "admin"
password: "admin"
# Audit extended files and folders information
audit:
- path: /tmp
labels: ["tmp", "linux"]
ignore: [".swp"]
allowed: [ ".txt", ".odt" ]
# Simple files and folders information
monitor:
- path: /bin/
- path: /usr/bin/
labels: ["usr/bin", "linux"]
- path: /etc
labels: ["etc", "linux"]
exclude: [ "/etc/libvirt/qemu" ]
# App procedure and errors logging
log:
file: /var/log/fim/fim.log
# Available levels [debug, info, error, warning]
level: info
macOS systems:
node: "FIM"
# Events configuration, where to store produced events
events:
watcher: Recommended
destination: both
file: /var/lib/fim/events.json
max_file_checksum: 64
endpoint:
address: "https://127.0.0.1:9200"
insecure: true
credentials:
user: "admin"
password: "admin"
# Monitor files and folders.
monitor:
- path: /tmp/
- path: /bin/
- path: /usr/bin/
labels: ["usr/bin", "macos"]
- path: /etc
labels: ["etc", "macos"]
# App procedure and errors logging
log:
file: /var/log/fim/fim.log
# Available levels [debug, info, error, warning]
level: info