File Integrity Monitoring (FIM)
What is File Integrity Monitoring (FIM)?
File Integrity Monitoring (FIM)A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
File Integrity Monitoring (FIM) maintains cryptographic hashes (SHA-256 or stronger) of sensitive files, registry keys, or configuration objects and alerts when their content or metadata changes outside of an approved change window. Classic implementations include Gene Kim's Tripwire (1992), AIDE, OSSEC, Wazuh, Samhain, and modern offerings in Trend Micro, Tenable, Qualys, Splunk and most EDR platforms. FIM is explicitly required by PCI DSS v4.0 requirement 11.5.2 (formerly 11.5), HIPAA, and SOX. Effective FIM defines a tight scope (system binaries, web roots, sudoers, /etc, registry hives, scheduled tasks), integrates with change management to suppress approved updates, and forwards events to a SIEM for correlation with EDR, identity logs, and threat intelligence.
● Examples
- 01
OSSEC alerting when /etc/sudoers is modified outside of an approved Ansible playbook run.
- 02
Tripwire Enterprise integrated with the change-management ticket system to flag unmatched changes to the web-server document root.
● Frequently asked questions
What is File Integrity Monitoring (FIM)?
A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline. It belongs to the Defense & Operations category of cybersecurity.
What does File Integrity Monitoring (FIM) mean?
A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
How does File Integrity Monitoring (FIM) work?
File Integrity Monitoring (FIM) maintains cryptographic hashes (SHA-256 or stronger) of sensitive files, registry keys, or configuration objects and alerts when their content or metadata changes outside of an approved change window. Classic implementations include Gene Kim's Tripwire (1992), AIDE, OSSEC, Wazuh, Samhain, and modern offerings in Trend Micro, Tenable, Qualys, Splunk and most EDR platforms. FIM is explicitly required by PCI DSS v4.0 requirement 11.5.2 (formerly 11.5), HIPAA, and SOX. Effective FIM defines a tight scope (system binaries, web roots, sudoers, /etc, registry hives, scheduled tasks), integrates with change management to suppress approved updates, and forwards events to a SIEM for correlation with EDR, identity logs, and threat intelligence.
How do you defend against File Integrity Monitoring (FIM)?
Defences for File Integrity Monitoring (FIM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for File Integrity Monitoring (FIM)?
Common alternative names include: FIM, Change detection, Tripwire-style monitoring.
● Related terms
- network-security№ 048
Anomaly-Based Detection
A detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.
- malware№ 949
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- defense-ops№ 091
Behavioral Detection
A detection approach that identifies malicious activity from the runtime behavior of processes, users, and network flows rather than from static file signatures.
● See also
- № 626Log Aggregation
- № 769OSSEC
- № 1225Wazuh