File Integrity Monitoring (FIM) is a critical security control that detects unauthorized changes to system files, configuration files, and application binaries. By creating hash-based baselines and comparing them over time, you can identify tampering, rootkit installations, and unauthorized configuration changes. This guide covers practical FIM implementation on Linux servers.
Why File Integrity Monitoring Matters
FIM addresses several critical security scenarios:
- Rootkit detection ā Rootkits modify system binaries; FIM detects the changes
- Configuration drift ā Unauthorized changes to /etc files are flagged immediately
- Compliance requirements ā PCI DSS (Requirement 11.5), HIPAA, and SOC 2 all require FIM
- Incident response ā FIM logs provide forensic evidence of what was changed and when
Hash-Based File Integrity Checking
The foundation of FIM is cryptographic hashing. SHA-256 is the standard choice:
# Hash a single file
sha256sum /etc/passwd
# Hash all files in a directory
find /etc -type f -exec sha256sum {} \; > /root/baseline.txt
# Compare with previous baseline
sha256sum -c /root/baseline.txtCreating and Managing Baselines
A baseline is a snapshot of known-good file states. Create baselines after system setup and after verified changes:
pip install dargslan-file-integrity
dargslan-fim baseline # Create baseline of critical files
dargslan-fim check # Compare current state with baseline
dargslan-fim report # Full integrity report
dargslan-fim hash /etc/passwd # Hash a specific fileThe tool monitors critical system files by default: /etc/passwd, /etc/shadow, /etc/sudoers, /etc/ssh/sshd_config, and more.
Critical Files to Monitor
/etc/passwd, /etc/shadow, /etc/groupā User account files/etc/sudoers, /etc/sudoers.d/ā Privilege escalation configuration/etc/ssh/sshd_configā SSH server configuration/etc/crontab, /var/spool/cron/ā Scheduled task configuration/boot/ā Kernel and bootloader files/usr/bin/, /usr/sbin/ā System binaries (detect rootkit replacements)
Automated FIM with inotify
For real-time file change detection, combine hash-based FIM with Linux inotify:
# Watch for changes to critical files in real-time
inotifywait -m -r /etc /boot -e modify,create,delete,move --format "%T %w%f %e" --timefmt "%Y-%m-%d %H:%M:%S"Enterprise FIM Solutions
For larger environments, consider dedicated FIM tools:
- AIDE (Advanced Intrusion Detection Environment) ā Open source, rule-based FIM
- OSSEC/Wazuh ā FIM as part of a broader HIDS solution
- Tripwire ā Enterprise FIM with policy management
- Samhain ā Stealth FIM with centralized logging
Best Practices
- Create baselines immediately after system provisioning
- Update baselines after every authorized change
- Store baseline hashes on a separate, read-only system
- Automate daily integrity checks with cron
- Alert on any unauthorized file modifications
- Include FIM in your incident response procedures
Download our free File Integrity Monitoring Cheat Sheet for essential FIM commands. For comprehensive Linux security training, explore our Security & Hardening eBooks.
