What Is File Integrity Monitoring?
In an IT network, a file can range from a simple text file to a configuration script, and any change can compromise its integrity. A change to a single line item in a 100-line script could prove detrimental to the entire file or even operating system. For example, incorrectly assigning the wrong IP address to a startup script or a newly installed network printer could disrupt the network.
File integrity monitoring (FIM) solutions (also called integrity management) ensure the file for a server, device, hypervisor, application, or other element in the IT infrastructure remains in a known good state, even in the face of inevitable changes to these files. Ideally a FIM tool not only detects any changes to files, but also includes capabilities that help IT immediately remediate issues caused by improper change. The following sections describe the capabilities often available with file integrity monitoring solutions.
Establishes a Baseline
When IT deploys a new system/component into its technology infrastructure, it typically ensures the component is configured appropriately. A FIM solution captures the known good state of the entire system’s IT configuration settings when it is deployed — or when it has been configured with recommended settings — and uses this state as a baseline configuration against which the solution can compare a later configuration. This configuration state is referred to as a golden, compliance, or configuration baseline. A baseline-to-current-configuration comparison lets the solution immediately and automatically detect discrepancies caused by change.
Given the rapid deployment of virtual machines, an ideal file integrity monitoring solution would also include in the baseline the configurations of virtual environment elements. These elements include the physical server, hypervisor, each guest OS, and all applications and databases running on a guest OS.
Alerts and Notifies IT
When the solution detects change, IT needs to determine whether or not the integrity of a file has been compromised and whether the change requires immediate attention. IT should have the ability to specify which devices and files are critical — and therefore require high-level, immediate attention — versus those that do not. For example, the configuration file of an e-commerce site or a database populated with sensitive customer financial or medical data would warrant immediate attention, while configuration changes to non-critical systems could be given a “best effort” response.
Based on whether a system was viewed as critical or non-critical, the solution should be able to send alerts and notifications using a variety of methods to be sure the appropriate personnel receive them. For example, an email alert is worthless if the detected change disrupted email service. Other methods of notifying include an alert in the system tray, SNMP, CMD, SYSLOG, page, or within a management console. Early detection enables the administrator to quickly make any necessary corrections before downstream effects become critical.
Download your copy of the guide to learn about:
- What gets monitored
- A checklist of product requirements
- Integrity verification
- Operational requirements
- Security and control requirements
- Enterprise management integration requirements
- Reporting and alerting requirements
- Beyond FIM: Compliance policy management
- Fortra's unique approach to FIM