How to configure the FIM module
The FIM module runs scans on Windows, Linux, and macOS operating systems. There are both global settings and settings that are specific to the operating system of the endpoint. We discuss these settings and the supported operating systems in the Basic settings section of this guide.
You must specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. You can specify the file or directory to monitor on the ThreatLockDown server and the ThreatLockDown agent configuration files. You can also configure this capability remotely using the centralized configuration file.
You have to set the files and directories to monitor with the directories options. You can include multiple files and directories using comma-separated entries or adding entries on multiple lines. You can configure FIM directories using * and ? wildcards in the same way you would use them in a shell or Command Prompt (cmd) terminal. For example, C:\Users\*\Downloads
.
Any time the FIM module runs a scan, it triggers alerts if it finds modified files and depending on the changed file attributes. You can view these alerts in the ThreatLockDown dashboard.
Following, you can see how to configure the FIM module to monitor a file and directory. Replace FILEPATH/OF/MONITORED/FILE
and FILEPATH/OF/MONITORED/DIRECTORY
with your own filepaths.
Add the following settings to the ThreatLockDown agent configuration file, replacing the directories values with your own filepaths:
Linux:
/var/ossec/etc/ossec.conf
Windows:
C:\Program Files (x86)\ossec-agent\ossec.conf
macOS:
/Library/Ossec/etc/ossec.conf
<syscheck> <directories>FILEPATH/OF/MONITORED/FILE</directories> <directories>FILEPATH/OF/MONITORED/DIRECTORY</directories> </syscheck>
Restart the ThreatLockDown agent with administrator privilege to apply any configuration change:
Linux:
systemctl restart wazuh-agent
Windows:
Restart-Service -Name wazuh
macOS:
/Library/Ossec/bin/wazuh-control restart
Note
If you specify a directory both in a centralized configuration and on the configuration file of the ThreatLockDown agent, the centralized configuration takes precedence and overrides the local configuration.