How does FIM work?
FIM monitors a predefined set of files/directories at a periodic interval. FIM identifies new, changed, malicious, and non-package installed files.
How does FIM Alert?
FIM creates an event for known malicious files. You can configure custom FIM rules to generate events for your specific requirements. For more information, see Use Policies.
What does FIM Monitor?
FIM monitors all binaries associated with processes that are associated with network connections and a predefined list of directories/files once a day.
What files/paths are included in the predefined list?
The default file paths/directories are:
"filepath": ["/usr/bin","/usr/sbin","/bin","/sbin","/etc", "/var/log/messages", "/var/log/syslog", "/var/log/auth.log", "/var/log/secure", "/var/www/logs/access_log", "/var/www/logs/error_log", "/var/log/maillog", "/var/log/xferlog", "/var/log/dpkg.log"]
The lookup is recursive, and users can change the default search paths in the agent config.json file.
What files does FIM ignore?
The default configuration also includes the following ignore list:
"fileignore": ["/etc/mtab","/etc/mnttab","/etc/hosts.deny","/etc/mail/statistics","/etc/random-seed","/etc/adjtime","/etc/httpd/logs","/etc/utmpx","/etc/wtmpx","/etc/cups/certs","/etc/dumpdates","/etc/svc/volatile"]
This configuration can also be changed in the config.json file.
What is the FIM scan interval?
The default is one scan per day. The interval was chosen to balance feature need with and CPU, memory and disk IO cost.
What kind of load is normal for the device, both the baseline and post-baseline monitoring?
The load depends on the number of files. The feature includes a throttling mechanism to ensure that it does not consume excessive CPU, memory, and disk I/O resources for an extended period of time.
What should we expect once we configure custom directories for FIM per the support site instructions?
You should expect FIM to monitor the custom directories configured once a day. The default directories will no longer be monitored.
How often does FIM send alerts?
The alerts are sent through the normal Lacework alerting model using UI or external integrations. The alerts are generated when the files are checked and it will be once a day for directories configured and once an hour for files associated with processes making long-running connections.
Are there any files that FIM currently does not monitor?
It monitors all the files in the directory and ignores files that are in the ignore list.
How does FIM work with processes which make connections?
FIM monitors the binary associated with processes that make long-running network connections
Does FIM work recursively and look at all the files in a directory?
Yes, FIM directory configuration is recursive.
Does FIM provide visibility on new, changed and removed files? Any other activity?
FIM provides visibility into new and changed files, files with multiple executables, files installed without packages, and malicious files.
How are the malicious files identified?
Lacework partners with a 3rd party and compare the SHA256 file hash to a list of known, malicious file hashes.
Can I configure the time of scan and the frequency of the scans?
Yes, you can configure both the scan frequency and start time. The default scan interval is once a day. The interval was chosen to balance feature need versus CPU, memory, and disk IO bandwidth cost.
Can I limit the CPU usage for the FIM?
The Lacework agent automatically throttles CPU, memory, and disk IO. The limits are configurable, but Lacework does not recommend changing them without Lacework involvement.
If a user specifies filepath and fileignore in config.json, are the default directories included or excluded?
The default configuration is ignored; it is not a merge operation.
Why do you include in your default directories paths such as /var/log/messages, which are constantly changing?
HIPAA and PCI requirements include monitoring log file changes because they want to ensure that these files are only appended and not overwritten.
On the dashboard, you can see many results of FIM changes. Won’t adding directories that change constantly decrease the value of the FIM dossier because there are so many events to filter through?
You can customize the directories that you want to monitor. Custom rules in the future will allow you to receive alerts for the files that really matter to your organization.
What is the increased load for each added custom FIM directory.?
The exact load depends on the number and size of files in the directories being monitored.
What kind of data from each file does FIM monitor and what is sent to Lacework?
Lacework does not look inside file contents and only sends the metadata and file hash.
Is any customer-specific data sent to Lacework?
The file contents are not examined by FIM or sent to Lacework.
How does Lacework choose the default directories to monitor?
Lacework reviewed the common directories used by multiple open source FIM solutions in Linux environments to define the list of directories.
Is there a memory consumption baseline? If new directories are added to the json file, what increases in memory consumption are expected?
There is a baseline that is stored in VM, which is updated when new directories are added or removed. There is no fixed cost. Memory consumption depends on the number of files and directories being monitored. To provide excessive resource use, Lacework has a throttling mechanism as described earlier.
Do FIM (filepath/fileignore) changes in config.json require an agent restart to take effect?
No, changes to config.json are auto read by the agent and do not require an agent restart to take effect.
How long should one expect until FIM reports an added directory or file?
The FIM scan is run once per day, so the time until you see a change depends on the time of the last scan.
Can you utilize variables/wild cards when configuring FIM in config.json?
No, wildcard or regex is not supported at this time.
Are directory paths recursive? For example, if '/etc' is included in config.json, will the scan include '/etc/nginx' ?
Yes, FIM directory configuration is recursive.