NXLog User Guide

61. File Integrity Monitoring

File integrity monitoring (FIM) can be used to detect changes to files and directories. A file may be altered due to an update to a newer version, a security breach, or data corruption. File integrity monitoring helps an organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives.

PCI-DSS - Payment Card Industry Data Security Standard (Requirement 11.5)
SOX - Sarbanes-Oxley Act (Section 404)
NERC CIP - NERC CIP Standard (CIP-010-2)
FISMA - Federal Information Security Management Act (NIST SP800-53 Rev3)
HIPAA - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66)
SANS - SANS Critical Security Controls (Control 3)

NXLog can be configured to provide file (or Windows Registry) integrity monitoring. An event is generated for each detected modification. These events can then be used to generate alerts or be forwarded for storage and auditing.

There are various ways that monitoring can be implemented; these fall into two categories.

Checksum Monitoring

The im_fim and im_regmon modules (available with NXLog Enterprise Edition only) provide monitoring based on a cryptographic checksums. On the first run (when a file set or the registry is in a known secure state), a database of checksums is created. Subsequent scans are performed at regular intervals, and the checksums are compared. When a change is detected, an event is generated.

The im_fim module is platform independent, available on all platforms supported by NXLog, and has no external dependencies. Similarly, the im_regmon module requires no configuration outside of NXLog to monitor the Windows Registry.
If there are multiple changes between two scans, only the cumulative effect is logged. For example, if a file is deleted and a new file is created in its place before the next scan occurs, a single modification event will be generated.
It is not possible to detect which user made a change because the filesystem/registry does not provide that information, and there may be multiple changes by different users between scans.

Real-Time Monitoring

Files (and the Windows Registry) can also be monitored in real-time with the help of kernel-level auditing, which does not require periodic scanning. This type of monitoring is platform specific.

Kernel-level monitoring usually provides improved performance, especially for large file sets.
All events are logged; the granularity of reporting is not limited by the scan interval (because there is no scanning involved).
Reported events may be very detailed, and usually include information about which user made the change.

See the following sections for details about setting up file integrity monitoring on various platforms.

61.1. Monitoring on Linux

Checksum monitoring on Linux can be configured with the im_fim module.

NXLog must have permission to read the files that are to be monitored. Run NXLog as root, make sure the nxlog user or group has permission to read the files, or change the user/group under which NXLog runs. See the User and Group directives.

Example 264. Using im_fim on Linux

This configuration uses im_fim to monitor a common set of system directories containing configuration, executables, and libraries. The RIPEMD-160 hash function is selected and the scan interval is set to 3,600 seconds (1 hour).

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

  <Input fim>
    Module          im_fim
    File            "/bin/*"
    File            "/etc/*"
    File            "/lib/*"
    File            "/opt/nxlog/bin/*"
    File            "/opt/nxlog/lib/*"
    File            "/sbin/*"
    File            "/usr/bin/*"
    File            "/usr/sbin/*"
    Exclude         "/etc/hosts.deny"
    Exclude         "/etc/mtab"
    Digest          rmd160
    Recursive       TRUE
    ScanInterval    3600
</Input>

NXLog will report scan activity in its internal log.

Internal Log

2017-06-14 11:44:53 INFO Module 'fim': FIM scan started
2017-06-14 11:45:00 INFO Module 'fim': FIM scan finished in 7.24 seconds. Scanned folders: 833 Scanned files: 5081 Read file bytes: 379166339

Output Sample

{
  "EventTime": "2017-06-14 11:57:33",
  "Hostname": "ubuntu-xenial",
  "EventType": "CHANGE",
  "Object": "FILE",
  "PrevFileName": "/etc/ld.so.cache",
  "PrevModificationTime": "2017-06-14 11:20:47",
  "FileName": "/etc/ld.so.cache",
  "ModificationTime": "2017-06-14 11:56:55",
  "PrevFileSize": 46298,
  "FileSize": 46971,
  "DigestName": "rmd160",
  "PrevDigest": "1dbe24a108c044153d8499f073274b7ad5507119",
  "Digest": "ec0bc108b7c9e5d9eafde9cb1407b91e618d24c4",
  "EventReceivedTime": "2017-06-14 11:57:33",
  "SourceModuleName": "fim",
  "SourceModuleType": "im_fim"
}

See the Linux Audit System chapter for details about setting up kernel-level auditing. It is even possible to combine the im_fim and im_linuxaudit modules for redundant monitoring.

Monitoring on Windows

The im_fim module can be used on Windows for monitoring a file set.

Example 265. Using im_fim on Windows

This configuration monitors the program directories for changes. The scan interval is set to 1,800 seconds (30 minutes). The events generated by NXLog are similar to those shown in Using im_fim on Linux.

nxlog.conf


  1
2
3
4
5
6
7
8

  <Input fim>
    Module          im_fim
    File            'C:\Program Files\*'
    File            'C:\Program Files (x86)\*'
    Exclude         'C:\Program Files\nxlog\data\*'
    Recursive       TRUE
    ScanInterval    1800
</Input>

The Windows Registry can be monitored with the im_regmon module.

Example 266. Using im_regmon on Windows

This configuration monitors all registry keys below the specified path. The keys are scanned every 60 seconds.

nxlog.conf


  1
2
3
4
5
6

  <Input registry>
    Module          im_regmon
    RegValue        'HKLM\Software\Policies\*'
    Recursive       TRUE
    ScanInterval    60
</Input>

NXLog will report scan activity in its internal log.

Internal Log

2018-01-31 04:01:12 INFO Module 'registry': Registry scan started
2018-01-31 04:01:12 INFO Module 'registry': Registry scan finished in 0.00 seconds. Scanned registry keys: 77 Scanned registry values: 48 Read value bytes: 2396

Output Sample

{
  "EventTime": "2018-01-31 04:01:12",
  "Hostname": "WINAD",
  "EventType": "CHANGE",
  "RegistryValueName": "HKLM\\Software\\Policies\\Microsoft\\TPM\\OSManagedAuthLevel",
  "PrevValueSize": 4,
  "ValueSize": 4,
  "DigestName": "SHA1",
  "PrevDigest": "0aaf76f425c6e0f43a36197de768e67d9e035abb",
  "Digest": "3c585604e87f855973731fea83e21fab9392d2fc",
  "Severity": "WARNING",
  "SeverityValue": 3,
  "EventReceivedTime": "2018-01-31 04:01:12",
  "SourceModuleName": "registry",
  "SourceModuleType": "im_regmon",
  "MessageSourceAddress": "10.8.0.121"
}

Real-time monitoring can be implemented with Windows security auditing (see Security auditing on Microsoft Docs). Sysmon also implements file and registry monitoring with a system service and device driver; see the Sysmon chapter. In both cases, the generated events can be collected from the EventLog with the im_msvistalog module (see the Windows Event Log chapter).