File integrity monitoring
Demonstrate that the organization has implemented automated file integrity monitoring on critical systems that detects, alerts on, and logs unauthorized or unexpected changes to system files, binaries, libraries, and configurations in a timely manner.
Description
What this control does
File integrity monitoring (FIM) is a security control that tracks and alerts on unauthorized changes to critical system files, directories, binaries, configuration files, and application code. FIM tools create cryptographic hashes or checksums of baseline file states and continuously or periodically compare current file states against those baselines to detect modifications, deletions, or additions. This control is essential for detecting malware installation, rootkit deployment, unauthorized configuration tampering, and insider threats that modify system components to establish persistence or disable security controls.
Control objective
What auditing this proves
Demonstrate that the organization has implemented automated file integrity monitoring on critical systems that detects, alerts on, and logs unauthorized or unexpected changes to system files, binaries, libraries, and configurations in a timely manner.
Associated risks
Risks this control addresses
- Attackers install backdoors, webshells, or malicious binaries on production systems without detection
- Rootkits or kernel-level malware modify core operating system files to hide malicious activity
- Insider threats tamper with audit logs, security configurations, or authentication files to cover tracks
- Ransomware encrypts or replaces system files before defensive measures can respond
- Unauthorized configuration drift introduces security vulnerabilities by disabling hardening settings
- Compromised supply chain components modify legitimate application files post-deployment
- Privilege escalation attacks replace system utilities with trojaned versions to capture credentials
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's asset inventory identifying all systems classified as critical, security-sensitive, or in-scope for file integrity monitoring
- Request and examine the file integrity monitoring policy, procedures, and documented baseline configurations showing which files, directories, and system components are monitored on each asset class
- Select a sample of critical systems across different platforms (Windows servers, Linux servers, network devices, database servers) and verify FIM agents or tools are installed, enabled, and actively running
- Review FIM configuration files or management console settings to confirm monitored paths include system binaries, libraries, kernel files, authentication databases, web application code, configuration files, and audit logs
- Verify baseline creation process by examining baseline snapshots with cryptographic hashes, review dates, and approval records demonstrating authorized baseline states
- Test alert functionality by requesting evidence of recent FIM alerts, examining alert logs, and verifying alerts are routed to security operations or monitoring personnel with documented response procedures
- Perform a simulated unauthorized change on a test system within scope by modifying a monitored file and confirm the FIM system detects, alerts, and logs the change within the defined detection window
- Review a sample of FIM alerts from the past 90 days to assess investigation and disposition records, confirming unauthorized changes triggered incident response and authorized changes correlate with approved change tickets