Introduction

File Integrity Monitoring (FIM) is a critical security control used to detect unauthorized changes to system files. It plays a vital role in identifying privilege escalation, insider threats, and malware persistence, while also supporting compliance frameworks such as PCI-DSS, ISO 27001, SOX, and NIST.

In this blog, we walk through a practical, lab-tested implementation of FIM using the Linux audit framework (auditd) integrated with IBM QRadar. The focus is on real-world deployment challenges, particularly around log forwarding and event visibility, rather than theoretical concepts.

The setup uses two machines:

• One Linux server being monitored
• One IBM QRadar system acting as the SIEM

Architecture Overview

The architecture is simple and effective:

Components Used

• Linux OS (RHEL/CentOS/Rocky/Ubuntu)
• auditd (Linux Auditing Framework)
• rsyslog (log forwarding)
• IBM QRadar (SIEM)

What Is File Integrity Monitoring?

File Integrity Monitoring tracks unauthorized changes to critical system files such as:

• /etc/passwd
• /etc/shadow
• /etc/sudoers
• SSH configuration files
• System binaries

These changes often indicate:

• Privilege escalation
• Unauthorized user creation
• Backdoor installation
• Configuration tampering

Step 1: Installing and Enabling auditd

On the Linux server:

# RHEL / CentOS

yum install audit -y

# Ubuntu

apt install auditd -y

Enable and verify:

systemctl enable auditd

auditctl -s

On modern Linux systems, auditd starts early at boot and cannot be manually restarted. This is a security feature that prevents attackers from disabling auditing.

Step 2: Configuring FIM Rules in auditd

Create a rules file:

vi /etc/audit/rules.d/fim.rules


Add critical file monitoring rules:

-w /etc/passwd -p wa -k fim_passwd

-w /etc/shadow -p wa -k fim_shadow

-w /etc/group -p wa -k fim_group

-w /etc/sudoers -p wa -k fim_sudo

-w /etc/ssh/sshd_config -p wa -k fim_ssh

-w /bin -p wa -k fim_bin

-w /sbin -p wa -k fim_sbin

-w /usr/bin -p wa -k fim_usrbin

Load the rules:

augenrules --load

Verify:

auditctl -l

Step 3: The Critical Step – Forwarding audit Logs

This is where many implementations fail.

auditd logs are written to /var/log/audit/audit.log, and rsyslog does NOT forward this file by default.

To fix this, rsyslog must be explicitly configured to read the audit log.

Configure rsyslog imfile

Create a config file:

vi /etc/rsyslog.d/99-auditd.conf

Add:

module(load="imfile")

input(type="imfile"

      File="/var/log/audit/audit.log"

      Tag="auditd:"

      Severity="info"

      Facility="local6")

local6.* @@<QRADAR_IP>:514

Restart rsyslog:

systemctl restart rsyslog

Verify rsyslog is monitoring the file:

grep imfile /var/log/messages

Step 4: Configuring Log Source in QRadar

On the QRadar console:

1. Go to Admin → Log Sources
2. Add a new log source:
• Log Source Type: Linux OS
• Protocol: Syslog
• Log Source Identifier: Linux server IP
3. Save and Deploy Changes

Step 5: Testing File Integrity Monitoring

Trigger a test change:

echo "#FIM_TEST" >> /etc/passwd

Verify locally:

tail -f /var/log/audit/audit.log

These are the sample events

type=SYSCALL msg=audit(1778004106.156:38794): arch=c000003e syscall=257 success=yes exit=5 a0=ffffff9c a1=56099d8daac0 a2=441 a3=1b6 items=2 ppid=2433361 pid=2433364 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=203 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="fim_passwd"ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1778004106.156:38794): cwd="/root"

type=PATH msg=audit(1778004106.156:38794): item=0 name="/etc/" inode=134289537 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"

type=PATH msg=audit(1778004106.156:38794): item=1 name="/etc/passwd" inode=134913367 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"

type=PROCTITLE msg=audit(1778004106.156:38794): proctitle="-bash"

QRadar Validation Steps

Please perform the following steps in QRadar:

QRadar Log Source Configuration

The following screenshots show the configured Linux OS log source in QRadar.

Log Source Overview

Protocol Configuration

Verify in Log Activity

• Go to Log Activity
• Click on Add Filter
• Select Log Source
• Choose the newly created log source

You should see audit events containing file paths and system calls.

Real-Time FIM Events in QRadar

The screenshot below shows auditd events successfully parsed and visible in QRadar Log Activity.

Security and Compliance Value

This setup helps detect:

• Unauthorized file changes
• Privilege escalation attempts
• SSH tampering
• Malware persistence

It also supports compliance requirements for:

• PCI-DSS (Requirement 11)
• ISO 27001
• NIST
• SOX

Conclusion

By integrating auditd with IBM QRadar SIEM, you can build a scalable and efficient File Integrity Monitoring solution using native Linux capabilities. The success of this setup depends on correctly configuring audit rules and ensuring reliable log forwarding.

Once in place, QRadar enables real-time visibility, correlation, and alerting on critical file changes turning FIM into a powerful detection mechanism rather than just a compliance requirement.

If you have any questions about the topics discussed or would like to explore these capabilities further, please feel free to reach out to us for a detailed discussion.

Author        –  Pranav Hiswanlar (pranav.hiswankar@ibm.com)
Reviewer   –  Prabir Meher

Special thanks to Prabir for taking the time to review this blog.