Reporting file changes

Use case description

Endpoint	Description
Ubuntu 20.04	The FIM module monitors a directory on this endpoint for file changes. It reports the exact changes made to a specified file and hides the changes made to an excluded file.

Configuration

Perform the following steps to configure the FIM module to report changes made to a file. The configuration reports changes made to files in /appfolder except for the private-file.conf file.

1. Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below. This sets /appfolder for monitoring and makes an exception in reporting changes for /appfolder/private-file.conf using nodiff:

   <syscheck>
     <directories realtime="yes" report_changes="yes">/appfolder</directories>
     <nodiff>/appfolder/private-file.conf</nodiff>
   </syscheck>
   

2. Restart the ThreatLockDown agent to apply the configuration changes:

   systemctl restart wazuh-agent
   

Test the configuration

1. Create a directory /appfolder and the files appreport.conf and private-file.conf in the directory:

   # mkdir /appfolder && touch /appfolder/appreport.conf && touch /appfolder/private-file.conf
   

2. Add the value I added this text to the appreport.conf and private-file.conf files:

   echo “I added this text” | tee /appfolder/appreport.conf /appfolder/private-file.conf
   

Visualize the alert

Navigate to File Integrity Monitoring on the ThreatLockDown dashboard to view the alert. You can find four alerts related to the monitored directory.

Expand the alert for the appreport.conf file with rule.id:550 to find information about the changes made to the file. In the image below, under the syscheck.diff field, you see the content added to the file.

Expand the alert for the private-file.conf file with rule.id:550 to search for information about the changes made to the file. In the image below, under the syscheck.diff field, you see that FIM doesn’t report the content added to the file.