FIM Policy

When a File Integrity Monitoring (FIM) policy is created, depending on the options selected, Sysdig Host Shield monitors the specified directories for changes to the contained files.

Prerequisites

Sysdig Secure
Universal eBPF probe enabled. See more in the dedicated page.
Agent 14.3+

Configure the Sysdig Shield

To enable the feature, you need to customize enable in your Sysdig Shield setup, setting features.detections.file_integrity_monitoring=true. For additional installation instructions, see:

Create a FIM Policy

Log in to Sysdig Secure.
Select Policies > Threat Detection > Runtime Policies to display the Runtime Policies page.
Click +Add Policy and select FIM policy type.
Configure the policy as given in Configure a FIM Policy.
Click Save.

Configure a FIM Policy

Basic Parameters

Name: Enter a unique policy name.

Description: Provide a meaningful and searchable description.

Enabled: Toggle to enable or disable the policy. The policy must be enabled to generates events.

Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI.

The available severities are High, Medium, Low, or Info.
Policy severity is subjective and is used to group policies within a Sysdig Secure instance. There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

Scope: Choose the scope to which the policy will apply. You can select Hosts Only, Containers Only, or define a Custom Scope.

Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.

If you provide a value here, a View Runbook option will appear in the corresponding event with a link to your Runbook.

Policy Rules

Turn on one or both rules, to detect different operations performed on files:

Modification: Triggers when a file content is modified. This doesn’t trigger upon file creation.

Deletion: Triggers when a file is removed.

Rules Configuration

Use Regex: If this is enabled, you can use Google RE2-compatible regular expressions when specifying the monitored and excluded directory paths. This will significantly increase the usage of CPU.

Monitored Directories: A comma-separated list of folders to be monitored for changes. The files in these folders will trigger detections. For symlinks, the actual path is to be considered here. The longer the list, the higher the amount of resources used.

Excluded Directories: A comma-separated list of folders to be excluded from monitoring. These are absolute paths of subfolders of any of the list above.

Actions

Notify

Select a notification channel from the drop-down list for sending notification of events to appropriate personnel.

Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.