Using FIM and accounting for system updates

[Graham Allan]

We're looking at using Wazuh for File Integrity Monitoring, and wondering what the best practices are for reducing the amount of noise (false positives) generated by normal system updates.

I can see that if the wazuh agent is restarted, the FIM database is cleared, so one option could be to restart the agent after installing updates (eg with a yum post-install hook). Does this make any sense or am I missing something? We can see this approach would come with its own limitations! How do other people manage this issue?

Thanks for any ideas or feedback,

Graham

[antonio....@wazuh.com]

Hello Graham.

First of all, I’m going to explain a bit how FIM works.

The first thing that FIM performs is what we call “the baseline scan”. This scan checks every monitored directory to get the file’s data and stores the data in the database. When the next scan is triggered (or when a realtime or whodata event is triggered), FIM compares the new data with the data stored in the DB and will trigger an alert based on this comparison.
To avoid false positives if changes are performed in monitored directories when FIM is shut down, FIM clears the database just when starts.

In my opinion, FIM should only be used to monitor files with sensible information. It can be used to check system updates, but one thing to bear in mind is that you wouldn’t know if that change is done by the upgrade or because someone change the binary unless you use the whodata mode, but this can be resource-intensive (it will add an audit rule for each monitored directory and it will be checking if an audit event has been triggered).

FIM doesn’t have any particular option to handle this specific case, but you can use custom rules to filter these events.
One idea is that if these upgrades are scheduled (for example every Sunday at 12:00), you can set custom rules over these directories and set the level to 0. This means that the events that match the rule will be ignored.
The rule, will look something like this:

<rule id="17102" level="0">
     <if_sid>550</if_sid> 

   <field name="file">/bin/</field>
   <time>12 am - 2 pm</time>
   <weekday>sunday</weekday> 

   <description>Update during sunday</description>

</rule>

Just as a note, the SIDs of the FIM alerts are the following:

• 550: Modified file modification
  • 554: Added file
• 553: Deleted file

You can check the following links to get more information.

• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#time
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#weekday
• https://documentation.wazuh.com/current/user-manual/ruleset/index.html
• https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
• https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-fields-rule-mapping.html

​