Home/Resources/Agents/File Integrity Monitor
Endpoint & Integrity

File Integrity Monitor

Cryptographic proof a host has not been tampered with since the last scan, on a cadence the assessor cannot dispute.

Covered practices · NIST SP 800-171 Rev 2
3.14.5Periodic scansPrimary3.14.6Monitor systems for indicators of attackPrimary3.3.8Protect audit information3.4.1Baseline configurations3.14.7Identify unauthorized use
SHA-256
FIPS-approved hash applied to every monitored file

The problem

3.14.5 requires periodic scans of organizational systems. 3.14.6 requires monitoring to detect attacks and indicators of attack. Both controls are written to be solved with file integrity monitoring, since FIM is the technical evidence that a system has not been tampered with between assessments rather than a procedural claim that nobody touched it.

Persistence mechanisms are visible to FIM that nothing else catches. A modified SSH host key is the setup for a man-in-the-middle. A new SUID binary is privilege escalation infrastructure waiting to be used. A kernel module added to /lib/modules/ is a near-certain rootkit indicator. None of these get detected by AV in the general case; all of them get detected by file hashing in the specific case.

Performance is the operational constraint. A naive scanner hashes hundreds of thousands of files on every run and burns the host's IO budget. The agent uses mtime as a pre-filter, so if mtime has not changed since the last scan it skips the re-hash and trusts the recorded hash. Subsequent scans complete in seconds rather than minutes, with no measurable load on production systems.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.14.5Periodic scans

Provides the periodic-scan mechanism for system file integrity required by 3.14.5,the canonical use case for FIM in CMMC environments.

Read in NIST 800-171 r2
NIST 3.14.6Monitor systems for indicators of attack

Binary modifications, kernel module changes, and unexpected SUID binaries are direct indicators of attack,surfaces them with cryptographic certainty.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.3.8Protect audit information

Detects modification of audit binaries (auditd, auditctl) and audit config files,protection of audit information requires knowing when it changes.

Read in NIST 800-171 r2
NIST 3.4.1Baseline configurations

The FIM baseline IS the configuration baseline for file state. Drift from the baseline is configuration drift by definition.

Read in NIST 800-171 r2
NIST 3.14.7Identify unauthorized use

Unauthorized binary modification is a primary indicator of unauthorized system use. FIM converts a procedural concept into measurable evidence.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Monitors /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /lib, /lib64, /usr/lib, /etc/passwd, /etc/shadow, /etc/sudoers and sudoers.d, /etc/ssh/sshd_config and host keys, /etc/pam.d, /etc/audit, all /etc/cron* paths, /boot/grub*/grub.cfg, /boot/vmlinuz*, and /lib/modules. Tracks SUID binaries via find / -perm -4000 -o -perm -2000. Hashes with SHA-256 in streaming chunks for files larger than 100MB. Stores fim.db at /var/lib/tolerance/fim.db with HMAC-SHA256 authentication on the database itself.

Windows

Monitors C:\Windows\System32, SysWOW64, System32\drivers, System32\wbem, and the Program Files trees. Hashes exported registry hives for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, RunOnce, SYSTEM\CurrentControlSet\Services, and Winlogon so persistence-relevant changes are caught at the same cadence as binary changes. Stores fim.db under %ProgramData%\Tolerance\ with the same HMAC integrity check as Linux.

macOS

Monitors /usr/bin, /usr/sbin, /bin, /sbin, /System/Library, /Library/LaunchDaemons, /Library/LaunchAgents, and /etc/pam.d. Uses the same SHA-256 hashing model as Linux with the same mtime pre-filter, so subsequent scans finish in seconds even on machines with hundreds of thousands of system files.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    Critical binary modified in /bin or /sbin
    Hash mismatch on a system binary. High rootkit likelihood,investigate immediately. Trojaned ls, ps, netstat, or sshd are well-documented attack patterns.
  • CRITICAL
    Kernel module added or modified
    New or changed file under /lib/modules/. Strong rootkit indicator. Kernel-mode persistence is the highest-risk change a system can experience.
  • CRITICAL
    Windows System32 binary modified
    Hash mismatch on a System32 file outside an authorized Windows Update window. Service hijacking or rootkit pattern.
  • HIGH
    /etc/sudoers modified
    Privilege escalation policy changed since last scan. Verify against approved configuration management,this should never happen outside a tracked change.
  • HIGH
    SSH host key modified
    Host key replaced. Either an admin operation that needs documentation or a man-in-the-middle setup. Both demand explanation.
  • HIGH
    New SUID binary detected
    Binary with SUID bit added since baseline. Privilege escalation infrastructure,investigate origin and authorize or remove.
  • HIGH
    New cron job in /etc/cron.d/
    Cron file created since baseline. Persistence mechanism,verify the source of the change.
SPRS impact

3.14.5 and 3.14.6 are 5-point and 5-point controls respectively, and their combined evidence is what FIM produces. Without FIM, 3.14.5 evidence relies on whatever the AV product runs, which is not periodic scans of system file integrity in any meaningful sense. A FIM-detected rootkit indicator is an incident the contractor can investigate before damage is done. A FIM database with no findings across multiple scans is the single strongest piece of evidence a contractor can place in front of an assessor on these controls.

How it hooks into the platform

The platform initializes the SHA-256 hash database on first discovery of each host and re-hashes on a cadence calibrated to the host's CUI tier. You choose whether the database, diffs, and finding metadata stay on-prem or sync up; the database itself can remain local even when findings sync. The signed FIM database is the SSP's cryptographic file-state baseline under 3.4.1, and the recurring re-scan satisfies 3.14.5 and 3.14.6 directly. Findings link to path, hash before, hash after, and time of change. POA&M items capture investigations of unauthorized modification.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Detects modifications anywhere under /etc/ within the next scan cycle
  • Surfaces kernel module changes against any added or replaced .ko file
  • Flags newly added SUID binaries on the next scan automatically
  • Skips re-hashing of files whose mtime is unchanged for fast subsequent scans
  • Detects tampering of the FIM database via HMAC-SHA256 on every read
  • Hashes /bin, /sbin, and /usr/bin in under 30 seconds on first run
  • Excludes /proc, /sys, and /dev unconditionally to avoid pseudo-fs noise
Other agents in Endpoint & Integrity
Endpoint & Integrity

Vulnerability Scanner

Air-gap-friendly CVE correlation that catches a CISA KEV match without a single packet leaving the contractor's network.

Endpoint & Integrity

Endpoint Protection Auditor

Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.

Endpoint & Integrity

Configuration Baseline Scanner

Signs the secure baseline on first run, then catches every drift away from it on every cadence.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →