To navigate to the Files (FIM) dossier in the Lacework Console, click Workload > Files (FIM).
For more information about File Integrity Monitoring, see the following topics:
- For more information about filtering dossier data, see Workload Dossier Navigation and Filters.
- For frequently asked questions about File Integrity Monitoring, see Lacework File Integrity Monitoring [FIM] - FAQs.
- For instructions on changing default paths using the config.json file, see File Integrity Monitoring [FIM] and the File Integrity Monitoring (FIM) Properties section in Configure Agent Behavior in config.json File.
The FIM module is on by default and scans the following directories:
["/usr/bin", "/usr/sbin", "/bin", "/sbin", "/etc", "/var/log/messages", "/var/log/syslog", "/var/log/auth.log", "/var/log/secure", "/var/www/logs/access_log", "/var/www/logs/error_log", "/var/log/maillog", "/var/log/xferlog", "/var/log/dpkg.log"]
It ignores the following directories:
["/etc/mtab", "/etc/mnttab", "/etc/hosts.deny", "/etc/mail/statistics", "/etc/randomseed", "/etc/adjtime", "/etc/httpd/logs", "/etc/utmpx", "/etc/wtmpx", "/etc/cups/certs", "/etc/dumpdates", "/etc/svc/volatile"]
Known bad signatures, for example, eicar, are flagged. Each scan notes the last modified time and hash, and changes to those are flagged.
Charts
These charts aggregate data for all scanned files. Available charts present unique file hashes and executables, number of known bad files, number of files changed, etc.
Timeline
The timeline displays events that match the date/time filter and any specified optional parameter filters set at the top of the page.
List of Changed Files
This table displays files whose hash and/or timestamp has changed.
New Files
This table displays files not seen on the previous scan.
Known Bad Files
This table displays files that match malicious files from various threat sources based on a hash or on another signature.
Application Details from Bad Files
This table displays detailed information about bad files.
Command Line by File
This table displays the command line that was used to launch the process.
Package Installed Executables
This table displays files installed using the system’s package management system, typically apt-get or yum/rpm.
Non-Package Installed Executables
This table displays files installed outside of package management, either through a proprietary package, or by moving binaries into the executable path.
Executable Versions With Multiple Hashes
This table displays executable versions with multiple hashes.
File Hash Summary
This table displays file hash summary information.