File Integrity Monitoring on Bare Metal Servers

file integrity monitoring server

File Integrity Monitoring on Bare Metal Servers

A file integrity monitoring server (FIM Server) is a security tool that checks if your important files have changed. It helps you see when someone edits, deletes, or replaces a system file without permission. This is important because attackers often change files after breaking into a system. For example, by adding backdoors, web shells, or modifying user accounts.

With a file integrity monitoring server, you can detect intrusions early, stop data tampering, and meet compliance rules like PCI, NIST, and ISO.

If you host websites with PerLod Hosting, you already know how important server integrity is. We use the FIM system to keep customer data safe and secure 24/7.

Let’s dive into the guide steps.

How File Integrity Monitoring Server work?

File integrity monitoring compares your current files with a baseline, which is a clean version from when your system was safe. If any file’s size, content, or permissions change, it sends an alert.

A file integrity monitoring usually checks system files, application folders, and security files.

It looks for changes in file content, permissions, ownership, and timestamps.

Main Components of a File Integrity Monitoring

A good file integrity monitoring server has four key components, including:

  • Baseline manager: This takes a snapshot of your system files. For example, AIDE or Tripwire can do this.
  • Change detector: It monitors changes in real time using Linux tools like auditd or inotify, or Windows tools like Sysmon.
  • Collector or Agent: It sends change reports from your computers to the central FIM server, like Wazuh or OSSEC.
  • Alerting or Response: This notifies you by email, dashboard, or SIEM system when suspicious file changes happen.

The best practice is to combine real-time monitoring like auditd, inotify, eBPF, or Sysmon with periodic baseline checks, including AIDE or Tripwire, and centralize alerts.

Choosing the Best Tools for File Integrity Monitoring

Here are the most common and recommended tools that you can use for file integrity monitoring server:

1. For FIM Linux Servers, you can use:

  • auditd: It tracks changes to files using kernel-level auditing.
  • AIDE: Builds a baseline and checks for file changes.
  • Wazuh or OSSEC: Central servers that collect and analyze logs from many machines.

2. For FIM Windows Servers, you can use:

  • Sysmon (Sysinternals): Logs file creation, modification, and deletion.
  • Windows Event Forwarding: Sends these logs to your file integrity monitoring server.
  • Wazuh Agent: Cross-platform and easy to centralize alerts.

3. For FIM in Cloud and Containers: You can use Falco by Sysdig or AccuKnox, which work with cloud or Kubernetes environments. These use eBPF, which is an efficient Linux kernel feature to detect file activity inside containers.

File Integrity Monitoring Setup on Linux with auditd, AIDE, and Wazuh

At this point, you can protect your Linux servers from unauthorized changes by implementing a multi-layered FIM system. You can easily integrate the real-time capabilities of auditd, the robust baseline checking of AIDE, and the powerful security monitoring of Wazuh to create a comprehensive solution for detecting and responding to file tampering.

On PerLod Hosting Linux Servers, you can install auditd and AIDE with a few simple commands to protect your clients’ files.

To show the steps, here is the Ubuntu or Debian example.

First, install the required packages with the following command:

sudo apt update
sudo apt install auditd audispd-plugins aide -y

The auditd records file and process changes. AIDE creates a safe baseline to compare against.

Then, you must create auditd rules to monitor files and directories. You can use auditctl (runtime) and audit.rules or /etc/audit/rules.d/ for persistent rules.

To watch a single file, like an SSH config file, for any writes or attribute changes, you can use this command:

sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config_watch

To watch the entire directory like /etc, you can use:

sudo auditctl -w /etc -p wa -k etc_watch

To watch a directory like /var/www/html for creation and deletion, you can use:

sudo auditctl -w /var/www/html -p wa -k webroot_watch

Explanation of flags used in the commands:

  • -w means watch this file.
  • -p wa means watch for write and attribute changes.
  • -k adds a name tag for searching later.

Tip: To make rules permanent, you can add the defined rules to the /etc/audit/rules.d/fim.rules file. Open the file:

sudo nano /etc/audit/rules.d/fim.rules

Paste the defined rules in the file, one rule per line. After editing the file, restart auditd to apply the changes:

sudo systemctl restart auditd

Also, you can use the following command to list active rules:

sudo auditctl -l

The next step is to view logs and find changes. You can search events by the key. For example:

sudo ausearch -k sshd_config_watch

To show the recent changes from audit logs, you can use:

sudo aureport -f
Display recent changes from audit logs

For a file path, you can use:

sudo ausearch -f /etc/ssh/sshd_config -i

The ausearch and aureport are auditd tools to extract and summarize changes. You can use -i for interpretable output.

Now you can create a File Baseline with AIDE. Initialize the baseline with:

sudo aideinit

Then, move the created DB to /var/lib/aide/aide.db.new.gz:

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Next, you can run a check with:

sudo aide --check

If files have changed, AIDE will show which ones. You can set it to run automatically every night using a cron job or systemd timer.

The final step is optional but recommended. You can send logs to a central file integrity monitoring server. First, you must install the Wazuh agent and connect it to your Wazuh manager.

In /var/ossec/etc/ossec.conf, enable the FIM module and define which files to monitor. The Wazuh server will collect all events, analyze them, and show alerts in its dashboard.

File Integrity Monitoring Setup on Windows with Sysmon and Windows Event Forwarding

For securing a Windows environment, you can set up a powerful FIM system using Sysmon for detailed, real-time change logging and Windows Event Forwarding (WEF) to centralize those logs for analysis and alerting.

First, download Sysmon from Microsoft Sysinternals and install it with a config file. For example, from PowerShell, install Sysmon to capture FileCreate and FileCreateTime:

.\Sysmon64.exe -accepteula -i sysmon-config.xml

Here’s an example sysmon-config.xml to include FileCreateTime and FileCreate:

<Sysmon schemaversion="4.82">
  <EventFiltering>
    <FileCreateTime onmatch="include"/>
    <FileCreate onmatch="include"/>
    <FileDelete onmatch="include"/>
  </EventFiltering>
</Sysmon>

Then, forward Sysmon events to your SIEM with Windows Event Forwarding. This logs any time a file is created, changed, or deleted.

Note: Sysmon does not log plain read access; it logs creates, deletes, and time changes, which are most relevant for file tampering detection.

File Integrity Monitoring Containers and Cloud Servers

In container systems, files change quickly because containers start and stop often. Monitoring the host’s disk won’t help if an attacker writes malware to a container that disappears minutes later. You can use tools like Falco or AccuKnox for real-time detection, enforcing immutable images, and protecting the registry to ensure integrity across the entire application lifecycle.

How to Reduce False Alerts in FIM Systems?

Too many alerts can hide real problems. Here’s how to keep your file integrity monitoring servers clean:

  • Create baselines after updates or patches.
  • Ignore folders that change often, like /var/log.
  • Mark normal automated changes as safe.
  • Group similar alerts together to avoid alert storms.

This makes your file integrity monitoring server easier to manage.

FAQs

What does a FIM system do?

It checks if system files have been changed, deleted, or replaced without permission.

Will the FIM system slow down my server?

No, if you only monitor important files.

How often should we check files with AIDE?

It is best to do it once daily or after every big update.

Conclusion

A file integrity monitoring server is one of the most effective ways to detect changes early. It monitors your essential files and alerts you the moment something changes. It is recommended to start small by monitoring key files or your web root, then expand it. Tools like auditd, AIDE, Wazuh, and Sysmon will help you with FIM systems.

With the right setup, your FIM system will act as your system’s silent guardian, always watching and ready to alert you.

We hope you enjoy this guide. Subscribe to X and Facebook channels to get the latest updates and articles.

For further reading:

How Dedicated Servers Boost Performance for High-Traffic Workloads

Learn Data Caching Strategies with Redis

Post Your Comment

Perlod Logo White

PerLod delivers high-performance hosting with real-time support and unmatched reliability.

Facebook-f Twitter

Navigation

Useful Links

Contact us

  • Business Bay, Dubai, UAE
  • +971 444 735 65
  • info[at]perlod.com

Payment methods

payment gateway
Perlod Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.