In cybersecurity, file integrity refers to the prevention of file contents being deleted or changed without proper authorization. File integrity monitoring (FIM) involves inventorying all files to both monitor for and prevent any undue changes. As companies grow, so do their digital inventories, which makes FIM more challenging at scale. Many companies consider open source FIM tools to make the process more manageable, without the exorbitant costs of more robust, paid options.
What is Open Source File Integrity Monitoring?
There are two primary considerations for companies unsure of what open source file integrity monitoring is and whether they should start using an open source (or paid) FIM solution:
- What is file integrity monitoring, and what different kinds of FIM tools are available?
- Do file integrity monitoring open source tools offer unique—or better—functionality compared to paid FIM tools?
In addition to dedicated FIM tools, organizations may achieve similar oversight capabilities via professional, managed solutions.
File Integrity Monitoring: Primary Functionality
File integrity monitoring is the process of inventorying all files’ contents and characteristics, then monitoring for changes made to them. The primary goal is ensuring all changes and deletions made are appropriate and authorized. Most FIM tools, whether open source or paid, accomplish this by establishing a baseline “norm” of how files should be, per the company’s unique needs.
FIM tools then scan for, report, and control any deviations from the established baselines.
File integrity monitoring may scan files for any changes or focus on a specific category of data within files. For example, personally identifiable information (PII) and credit cards’ primary account numbers (PAN) are categories companies may prioritize within their files. If so, they may utilize a PII scanner tool as their primary FIM solution. Alternatively, they may scan for PII separately from their system-wide FIM.
Agent-based and Agentless File Integrity Monitoring
There are many kinds of FIM solutions available, but most fall into one of two categories:
- Agent-based systems – These rely on programs installed throughout an IT infrastructure, particularly on individual host endpoints that communicate back to a central hub.
- Agentless systems – These rely on sending centralized commands to scan servers and endpoint devices.
Agent-based systems tend to offer much more robust file monitoring capabilities. An agent is installed on all hosts, which then allows for real-time monitoring. The agent captures critical information about changes as they occur, notifying a central hub immediately. However, this kind of FIM system can be resource-intensive, requiring the upkeep of all the installed agents.
In contrast, an agentless FIM solution offers scaled-down insights, often at a much lower cost and easier overall management. Agentless FIM tools operate on a polling system. FIM scans happen at regular intervals, such as once per day. One critical downside is that changes may not be detected for a whole day if they occur immediately after a recently completed scan.
Standalone and Integrated File Integrity Monitoring
Another aspect that distinguishes most FIM tools is whether they provide standalone operation or integration with other cybersecurity systems. A standalone solution offers FIM capabilities exclusively of any other functionalities. These tend to be less common than integrated solutions, especially in the realm of open source FIM.
Integrated FIM usually refers to a broader detection system that includes FIM within its scanning capacities. In most cases, the border program is an intrusion management system, such as a host based intrusion detection system (HIDS). As we’ll get into below, many of the premier open source FIM tools available are either a part of, or work together with, a robust HIDS program.
Integrated and standalone FIM solutions can be either agent-based or agentless, but companies who opt for the former tools may find more value in the more integrated, streamlined monitoring.
Is Open Source File Integrity Monitoring Functionality Unique?
In general, open source software is not categorically different from enterprise software in any meaningful way besides its pricing and accessibility. The open source designation merely means that it’s available for the public to use and, in some cases, modify.
Most open source software is available either totally free of charge or via so-called “freemium” models wherein users “pay” for software by making their data available for collection or being subject to advertising.
With respect to file integrity monitoring specifically, some unique qualities are not inherent to open source clients but remain prolific nonetheless. For example, many open source FIM suites are applicable to select operating systems, such as Linux. In addition, other providers may offer limited scanning abilities in the free (open source) tier but greater functionality at paid tiers.
Open Source vs. Paid File Integrity Monitoring Tools
A direct comparison with managed or paid (non-open source) alternatives offers the best understanding of open source file integrity monitoring. Paid FIM tools and solutions often provide more robust functionality than their open source counterparts. In some cases, managed FIM solutions are more focused, offering FIM exclusively rather than FIM as an add-on feature. In other cases, paid FIM solutions are more robust, fuller versions of open source trial services.
However, implementing managed FIM tools generally comes with a high cost burden, both for purchasing the software required and integrating it into your systems. Still, open source FIM can incur costs, even though the programs themselves are free—internal or outsourced management can drain your resources, and lacking system integration may require other software purchases or onboarding.
Why Use File Integrity Monitoring Open Source Tools?
For some companies, the cost-saving benefits of open source tools may outweigh the more robust functionality of managed options. For others, premium features and integration across their systems will provide more value. Either may be viable for your company if it needs FIM.
Companies also need to determine whether they need a FIM solution in the first place, open source or paid. One big determinant is regulatory compliance, which may directly require FIM:
- Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 11.5 explicitly calls for a “change detection mechanism” and names FIM tools as one solution.
- In the Health Insurance Portability and Accountability Act of 1996 (HIPAA), integrity for all protected health information (PHI) files is a core requirement of the Security Rule.
These requirements apply to companies that accept credit card payments and those within the healthcare industry, respectively. Other companies may need FIM to satisfy client demands and cybersecurity expectations. For companies who need FIM but have scarce resources, open source might be the best approach.
Top Open Source File Integrity Monitoring Solutions
Companies seeking an open source FIM solution will find a wide variety of options; most of these are agent-based, integrated, and tied to specific operating systems. Three of the best include:
- OSSEC Syscheck
- Tripwire Open Source
All of these systems combine file integrity monitoring with intrusion detection functionality.
Samhain: Centralized Open Source FIM and HIDS System
Samhain Labs bills its open source project, Samhain, as a “file integrity monitoring / host-based intrusion detection system.” This is unique in that it prioritizes the FIM functionality rather than the HIDS aspect. Other standout features include its centralized control hub, complete with a web-based management console and built-in stealth features to avoid tampering and leaks.
Samhain runs exclusively on POSIX systems such as Linux and Unix; a workaround for using it on Windows-based systems is available through emulations, such as Cygwin. A significant value proposition is installation ease and management simplicity, granted that system capabilities (MySQL, etc.) are up and running. Samhain is also optimized for PCI compliance, per the Samhain factsheet.
OSSEC: Powerful Open Source HIDS With FIM Capabilities
OSSEC is a host-based intrusion detection system first and foremost; its FIM capability is delivered via a service called Syscheck. The solution offers unparalleled scalability for an open source client, along with a massive, active community of contributors that conduct continual optimization efforts.
One major characteristic that separates OSSEC from many other open source FIM tools is that it can function on Windows via agent-based installation. In addition, it integrates malware and rootkit detection, along with real-time incident response, making it one of the most robust services available.
Tripwire: Encrypted Open Source Change Log and FIM Tool
Another prominent FIM solution is the free service suite available from HIDS innovator Tripwire. Tripwire’s primary offering is its paid HIDS tool. It also offers an open source variety similar to Samhain and OSSEC—publicly available via the Tripwire Open Source repository on GitHub.
Tripwire Open Source works by creating an encrypted baseline of all files, then running periodic scans to detect any changes within them. It uses hashes, which act as digital signatures, to reduce resource consumption rather than scanning file contents themselves to assess integrity.
However, this FIM client cannot produce real-time insights into changes as they occur, nor can it detect intrusions from before its installation. Also, Tripwire Open Source only functions on Linux-based OS, although the full enterprise version does work with Windows.
Top Professional File Integrity Monitoring Solutions
Companies seeking a paid FIM solution have more flexible options at their disposal. Beyond individual FIM products, there are also broader suites of security services integrating FIM:
- Threat and vulnerability management
- Regulatory compliance management
- Managed detection and response (MDR)
These tools all fold FIM functions into comprehensive managed security suites. Working with a managed security services provider allows you to tailor your FIM tool to your needs and means.
Threat and Vulnerability-based File Integrity Monitoring
One approach to integrated file integrity monitoring is a comprehensive threat and vulnerability management program. This robust suite of services typically prioritizes internal vulnerabilities and external threats, analyzing the relationships between them to determine risk. Risk itself might break down into several factors such as likelihood and severity, which determine what mitigation protocols comprise, when and how they should be implemented, and by whom.
A threat and vulnerability management program can incorporate file integrity monitoring as a distinct focus, identifying changes to files as potential sites of vulnerability. Or, it can integrate file integrity monitoring into a comprehensive cybersecurity information visibility dashboard.
Detection and Response Based File Integrity Monitoring
Companies interested in a more active approach to FIM might also consider managed detection and response (MDR) services. Similar to threat and vulnerability management, these include:
- Threat detection, applicable to integrity threats exclusively or among other categories
- Incident response, including backup and real-time restoration of compromised files
- Root cause analysis, which conducts a forensic investigation to determines new threat indicators and prevent similar attacks
- Regulatory compliance, ensuring integrity specifically for protected file types
Detection and response differs from threat and vulnerability management in that it includes more infrastructure for responding to integrity incidents. Some companies may prioritize the compliance monitoring functionality and make their FIM system selection accordingly.
Regulatory Compliance Based File Integrity Monitoring
Finally, as noted above, FIM tools can be trained to monitor all changes to files or particular content in specific files. For example, companies with regulatory compliance requirements may train their FIM system on specific subsets of data pertinent to them. For example, companies might focus on monitoring PHI integrity and other Privacy or Security breach indicators for HIPAA compliance.
Another use case involves data protected by location-based regulations. For example, all data that belongs to citizens of the European Union (EU) must be protected according to the General Data Privacy Regulation (GDPR). Similarly, data belonging to California residents is protected under the California Consumer Privacy Act (CCPA). A fine-tuned FIM solution can filter for compliance-subjected data to uphold GDPR compliance or CCPA compliance, respectively.
Rethink Your File Integrity Monitoring and Security
Open source file integrity monitoring tools are free, publicly available programs that ensure files are not changed or deleted inappropriately. For the most part, these offer the same basic functionalities as paid, enterprise versions. However, there are tradeoffs in terms of system integration and robust monitoring options with open source tools.
Companies should also consider the benefits of managed file integrity monitoring and other cybersecurity services.
Contact RSI Security for file integrity monitoring implementation and advisory to optimize your FIM capabilities today!