How it works
The FIM module runs periodic scans on specific paths and monitors specific directories for changes in real time. You can set which paths to monitor in the configuration of the ThreatLockDown agents and manager.
FIM stores the files checksums and other attributes in a local FIM database. Upon a scan, the ThreatLockDown agent reports any changes the FIM module finds in the monitored paths to the ThreatLockDown server. The FIM module looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It generates an alert if it finds discrepancies.
The ThreatLockDown FIM module uses two databases to collect FIM event data, such as file creation, modification, and deletion data. One is a local SQLite-based database on the monitored endpoint that stores the data in:
C:\Program Files (x86)\ossec-agent\queue\fim\db
on Windows./var/ossec/queue/fim/db
on Linux./Library/Ossec/queue/fim/db
on macOS.
The other is an agent database on the ThreatLockDown server. The wazuh-db. daemon creates and manages a database for each agent on the ThreatLockDown server. It uses the ID of the agent to identify the database. This service stores the databases at /var/ossec/queue/db
.
The FIM module keeps the ThreatLockDown agent and the ThreatLockDown server databases synchronized with each other. It always updates the file inventory in the ThreatLockDown server with the data available to the ThreatLockDown agent. An up-to-date ThreatLockDown server database allows for servicing FIM-related API queries. The synchronization mechanism only updates the ThreatLockDown server with information from the ThreatLockDown agents such as checksums and file attributes that have changed.
The ThreatLockDown agent and manager have the FIM module enabled and pre-configured by default. However, we recommend that you review the configuration of your endpoints to ensure that you tailor the FIM settings, such as monitored paths, to your environment.