Wazuh FIM Capability

File Integrity Monitoring (FIM) is an IT security control that monitors and detects file changes in computer systems. It helps organizations audit important files and system configurations by routinely scanning and verifying their integrity. Most information security standards mandate the use of FIM for businesses to ensure the integrity of their data.

IT security compliance involves adhering to applicable laws, policies, regulations, procedures, and standards issued by governments and regulatory bodies such as PCI DSS, ISO 27001, TSC, GDPR, and HIPAA. Failure to comply with these regulations can lead to severe consequences such as cyber breaches, confidential data loss, financial loss, and reputational damage. Therefore, organizations must prioritize adherence to IT regulations and standards to mitigate risks and safeguard their information systems effectively.

The rapid pace of technological advancement and a shortage of skilled cybersecurity professionals contribute to compliance difficulties. To effectively meet these regulations, businesses need to strategically plan, allocate resources to cybersecurity efforts, and thoroughly classify and protect their data assets.

Benefits of complying with cybersecurity standards

Compliance with cybersecurity regulations and standards is important for businesses of all sizes. These regulations require implementing specific cybersecurity measures, policies, and processes. By adhering to these standards, organizations ensure the transparency and integrity of their cybersecurity practices. Some benefits include:

  • It ensures that organizations have resilient backup and recovery procedures in place. This minimizes disruptions to business operations and maintains continuity during a cyber incident or disaster, as data stored in backup sites can be restored.
  • It provides a structured framework for managing risks across various business aspects. Organizations can reduce the costs associated with cybersecurity incidents and regulatory non-compliance by following established procedures and controls.
  • It safeguards an organization's reputation. Data breaches can significantly impact a company's reputation. Compliance helps protect against such breaches, thereby safeguarding the business's reputation.
  • It facilitates entry into regulated markets. In healthcare, finance, and retail sectors, it assures regulators that the firm's IT practices and systems meet the necessary standards.

The Wazuh FIM capability

Wazuh is an open source security solution that offers unified XDR and SIEM protection across several platforms. It protects workloads across on-premises, virtualized, cloud-based, and containerized environments to provide organizations with an effective approach to cybersecurity. Wazuh offers file integrity monitoring (FIM) as one of its capabilities; it also provides other capabilities, such as security configuration assessment and threat detection and response.

The Wazuh FIM capability ensures the following:

  • Real-time and scheduled file and directory monitoring.
  • Detection of unauthorized file changes.
  • Details about what or who made changes to data.

FIM, combined with other Wazuh capabilities such as malware detection, vulnerability detection, and Security Configuration Assessment (SCA), enhances threat detection, investigation, and remediation. These capabilities can help streamline your organization's security compliance efforts.

Ensuring regulatory compliance using the Wazuh FIM capability

Users can configure file integrity monitoring to meet the requirements of IT security compliance standards relevant to their organization. The Wazuh FIM can be configured to monitor file addition, deletion, and modification to a file content.

Keeping track of file changes within the organization helps system administrators and security analysts have organization-wide visibility of these changes and tackle security incidents promptly. Once configured, FIM events can be viewed on the Wazuh dashboard.

IT Security Compliance
FIM events in the Wazuh dashboard

Monitoring file integrity and access

The Wazuh FIM capability runs a baseline scan and stores the cryptographic checksum and other attributes of monitored files. When a change is made to a monitored file, the FIM compares its checksum and attributes to the baseline. If any discrepancy is identified, an alert will be triggered. Wazuh file integrity monitoring capability tracks details such as the process or user that modified a critical file and when the changes were made. Using the Wazuh FIM capability, organizations can ensure compliance with various sections of regulatory standards such as:

  • PCI DSS requirement 11.5.2
  • CM-3 of NIST 800-53
  • Article 5.1. (f) of GDPR
  • Workforce Security §164.308(a)(2) of HIPAA.

For example, we can configure the Wazuh FIM to monitor the SSH configuration file /etc/ssh/sshd_config file on a Linux endpoint. Malicious actors often target the SSH configuration file to weaken security by changing port numbers or disabling strong ciphers. The Wazuh FIM can detect unauthorized modifications by monitoring changes to this file. The following configuration on a Wazuh agent sets the Wazuh FIM capability to monitor the /etc/ssh/sshd_config file on a monitored endpoint:


<syscheck>
    <directories>/etc/ssh/sshd_config</directories>
</syscheck>

The image below shows alerts triggered when alterations are made to the SSH configuration file.

IT Security Compliance
Alert for modification of SSH configuration

Similarly, the /etc/ufw directory typically contains configuration files for UFW (Uncomplicated Firewall), a popular firewall application in Linux. These files define the rules determining which network traffic is allowed or blocked on your system. An attacker could modify the UFW rules to open ports typically closed by default, allowing unauthorized access to a system or internal network services.

We can configure the Wazuh FIM to monitor the /etc/ufw directory. This is configured by adding the configuration below in the agent configuration file on the monitored endpoint. We also enable the attribute whodata, which records the user that changes a monitored file.


<syscheck>
    <directories whodata="yes">/etc/ufw</directories>
</syscheck>

The image below shows alerts triggered when alterations are made to the UFW rule files.

IT Security Compliance
Alert for modification of UFW rule files

The Wazuh FIM capability lets you see the user and process initiating the change. The image below shows this information.

IT Security Compliance
Alert for user and process that modified UFW rules file

Benefits of using the Wazuh FIM for regulatory compliance

Wazuh provides file integrity monitoring capability to help achieve IT security compliance requirements and mitigate risks. Benefits of using the Wazuh FIM capability include:

  • Integrity checks: It calculates the cryptographic hashes of monitored files against their baseline to perform integrity checks, detecting modifications accurately. This ensures the integrity and security of sensitive data.
  • Audit trail: Organizations can use the capability to generate detailed reports and audit trails of file changes during audits. These reports are readily available when needed.
  • Threat detection: The Wazuh FIM, when combined with other capabilities like VirusTotal and YARA integration, is effective for detecting threats or malware dropped on monitored endpoints. By further using the Wazuh incident response capability, such detected threats are efficiently handled before damage is caused on the endpoint.
  • Centralized management: It provides centralized management and reporting capabilities that allow organizations to monitor FIM alerts and activities across different environments from a single dashboard.
  • Real-time alerts: It can provide real-time alerts for changes made to monitored files and directories. It also provides details on the user who made the change and the program name or process used. This helps security analysts promptly identify and respond to potential security incidents or compliance violations.
  • Cost-effectiveness: It is free to download and use, making it a cost-effective option for businesses, especially small and medium enterprises with budget constraints.

Conclusion

Wazuh is an open source security platform that offers free unified XDR and SIEM protection across several platforms. Wazuh also offers complementary capabilities, such as vulnerability detection, security configuration assessment, malware detection, and file integrity monitoring (FIM). Its FIM capability assists organizations in complying with some cybersecurity regulations. The other capabilities also contribute to meeting cybersecurity regulatory compliance requirements, safeguarding an organization's assets, and enhancing security posture.

Visit our website to learn more about Wazuh.

References

  1. Enhancing data security with the Wazuh open source FIM
  2. Wazuh file integrity monitoring


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.