Documentation

FIM policies

Suggest Edits

Create file integrity monitoring (FIM) policy definitions to monitor for file changes. A policy definition includes a target that identifies the type of object that you want to monitor. Some of the target types include directory, device, symbolic link, script, and executable.

You can assign attributes to the target type. An attribute is an action you want to monitor and includes the following examples:

  • File moves
  • File ownership changes
  • Date and time changes

A policy definition can contain more than one target.

Create a FIM policy

To create a FIM policy:

  1. On the Home page, click Policy Management.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. Click Policies.
  5. At the right, click Create New FIM Policy.
  6. In the Create New Policy panel, and enter a name for the policy.
  7. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  8. Click Create.

To create a FIM rule for the policy:

  1. In the list, click the Policy name you have just created.
  2. On the Policy Details page, at the right, click Add New FIM Rule.
  3. In the Create new FIM rule panel, enter a Rule name.
  4. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  5. Click Create.

ℹ️

Note

To delete a FIM Rule, click the appropriate FIM policy to navigate to Policy Details > Rules. Click the trash bin icon to delete the FIM Rule for the policy.

To add a FIM target:

  1. On the Policy Details page, click on the rule name you have just created.

  2. On the Rule Definition Editor page, click Add New FIM Target to add a target to the definition.

  3. Select a Target type, and then set attributes you want to monitor.

  4. You can assign a policy risk rating. The accepted values are between 1 to 10. A risk rating weighs the severity of the monitored actions configured for the targets.

  5. In the Change requested by [loggedInUserName] field, enter a reason for the change.

  6. Click Save.

  7. On the Policy Details page, click on the rule you just created.

  8. On the Rule Definition Editor page, enter Included path entries. Optionally, check the boxes:

    • Recurse sub folders
    • Follow symlinks
    • Follow links off device

    The policy applies to all files in the path.

  9. In the Change requested by [loggedInUserName] field, enter a reason for the change.

  10. Click Save.

  11. In the Exclude Paths section, enter paths that you do not want to monitor.

  12. In the Change requested by [loggedInUserName] field, enter a reason for the change.

  13. Click Save.

Clone a FIM policy

You may want to clone a policy in order to make a backup, or use it as a template to create a new one. On the File Integrity Monitoring page, select the clone icon on an existing policy, enter a unique Policy name, and click Clone.

ℹ️

Note

Each policy requires a unique name. In order to clone a policy, you must give it a new name; otherwise, the Clone button does not activate.

Delete a FIM policy

To delete a FIM policy:

  1. Go to the Policy Management page.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. Click Policies.
  5. In the FIM Policies list, click the trash bin icon at the right of the policy you want to remove, and then click Delete to confirm.

FIM clients

The File Integrity Monitoring Clients page lists all known endpoints that use a selected policy server. This information is obtained via the Profile action in the Hosts Inventory section, by reading each endpoints pb.settings file. This section allows the administrator to perform the actions detailed in this topic.

Policy assignment

By selecting one or more endpoints in the list, endpoints can be configured to use specific File Integrity Monitoring (FIM) policies, which themselves are managed in the Policies section. A list of available policies are then displayed. An endpoint can be assigned only one FIM policy at a time; changing the assigned policy removes any previous assignment.

To assign or change the currently assigned FIM policy:

  1. On the Home page, click Policy Management.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. On the FIM page, click Clients.
  5. On the FIM Clients page, do either of the following:
    • Use the filtering options to find a specific client.
    • Find it directly in the list.
  6. To select a FIM client, at the left of its hostname, check the box.

ℹ️

Note

If you want to make the same assignment or change in assignment for multiple clients, you can. To do so, select multiple clients at this step. Once you click Apply at step 10, the change applies to all clients selected.

  1. At the far right, click the Actions menu, and then select FIM Policy Assignment.
  2. On the Policy Assignment panel, at the right of the Policy name field, click the dropdown arrow, and then select a policy to assign or reassign.
  3. In the Change requested by [loggedInUserName] field, enter a reason for the assignment or change.

ℹ️

Note

The step above is only available if you have enabled Change Management on the FIM Policy server.

  1. Click Apply.
  2. To close the Policy Assignment panel, click the X at the top-right of the panel.

FIM client reports

By selecting one or more endpoints in the list, endpoints can execute the assigned FIM report. The time it takes to complete the task varies based on a number of factors, including hardware, complexity, and scope of the FIM policy. FIM Report Execution requires credentials to authenticate into the endpoint to execute the task.

ℹ️

Note

You can also use default credentials that you set up under Hosts > Credential Rules.

An option to update the base file state from which further reports would compare against, is available (the Update the report database option at Step 8, which can be toggled ON or OFF).

To run FIM reports:

  1. On the Home page, click Policy Management.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. On the FIM page, click Clients.
  5. On the FIM Clients page, do either of the following:
    • Use the filtering options to find a specific client.
    • Find it directly in the list.
  6. To select a FIM client, at the left of its hostname, check the box.

ℹ️

Note

If you want to run a FIM report for multiple clients using the same credentials, you can. To do so, select multiple clients at this step. Once you click Apply at step 13, the reports are run for all clients selected.

  1. At the far right, click the Actions menu, and then select FIM Reports Execution.
  2. On the Run FIM Reports panel, if you want to update the report database, click the Update the report database toggle to ON. Turning it on changes the baseline to the results of the report that you are about to run. As a result, any future report will be reported in terms of a deviation or difference from this one.

ℹ️

Note

Steps 9-11 are optional fields, if you have defined Credential Rules for the hosts selected. Steps 10 and 11 are also optional, based on the permissions of the user selected at Step 9, and the strategy selected at Step 10.

  1. At the right of the Login Credential field, click the dropdown arrow and select a credential.
  2. At the right of the Delegation Strategy field, click the dropdown arrow and select a strategy.
  3. Depending on the option you select, you might need to enter a delegated credential. If so, at the far right of the Delegated Credential field, click the dropdown arrow and select a delegated credential.
  4. In the Change requested by [loggedInUserName] field, enter a reason for the change.
  5. Click Apply.
  6. To close the Policy Assignment panel, click the X at the top-right of the panel.

ℹ️

Note

You can view the current status of the task in the Tasks section.

Reports

File Integrity Monitoring (FIM) reports are available within the BeyondInsight for Unix & Linux (BIUL) console, in addition to being available from a command line. FIM reports are stored on policy servers and are available under the Policy section of the console.

To access FIM reports:

  1. On the Home page, click Policy Management.
  2. Using the filtering options (or from the list), select a server.
  3. At the right of the server hostname row, click the vertical ellipsis menu icon, and then select FIM.
  4. On the FIM page, click Reports.
  5. On the FIM Reports page, do either of the following:
    • Use the filtering options to find a specific report
    • Find it directly in the list.
  6. To view the details of the report, at the far right of the report summary line, click the right-facing arrow icon.
  7. To view more specific information, on the FIM Report Details page, use the filtering options to narrow down your information search.
  8. To view the file's Policy Violation Details, double-click on a file information row, and consult the details panel on the right.
  9. When done with the details of that file, you can click another information row in the table and view its details, or click the X at the top-right of the panel to close it.

To go to a different report for the same server, on the breadcrumbs line at the top of the page, click FIM Reporting.

To view FIM Reports for a different server, on the left menu, click Policy and start again.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.