Overview
File Integrity Monitoring (FIM) is a feature within opConfig that allows you to monitor critical files and directories on remote servers for changes. It is designed to support regulatory compliance requirements by providing visibility into:
...
FIM operates as an extension of the opConfig Command Set system. You create a FIM-enabled Command Set, define the files or directories you wish to monitor, and opConfig periodically collects metadata from the target nodes and raises alerts when changes are detected.
Supported Platforms
FIM supports two operating system families, each using a different backend collection method:
...
The platform is selected when creating the Command Set via the OS Mode setting, which determines the backend plugins used, the available configuration options, and path format validation.
Configuring a FIM Command Set
FIM is configured through the opConfig Command Set editor. When creating or editing a Command Set, enabling File Integrity Monitoring transforms the editor into the FIM-specific interface.
Step 1: Create a File Integrity Monitoring Command Set
...
Step 2: Select OS Mode
Choose whether this Command Set will monitor Linux or Windows systems.
...
Note: A single Command Set can only target one OS family. Create separate Command Sets for Linux and Windows nodes.
Step 3: Configure General Settings
Field | Description |
Name | A unique identifier for this Command Set. Must contain only alphanumeric characters and underscores, and cannot be the name “new” |
Active | Enables or disables this Command Set. Use this to temporarily stop monitoring without deleting the configuration. |
OS | A string or regex filter to match against the node’s |
Version | Optional. A string or regex filter to match against the node’s |
Tags | These operate as normal Command Set tags, used for categorising and grouping Command Sets. |
Keep Last | The number of revisions (changed result sets) to retain in the system. Set to 0 to keep all revisions. |
Purge Older Than | Controls the maximum age for retained revisions. Revisions older than this are automatically purged. |
Plugin Interaction Timeout | The maximum time (in seconds) the plugin is allowed to interact with the remote system before timing out. Default is 120 seconds. |
Step 4: Configure Platform-Specific Settings
Linux: Auditd Configuration
These settings control how opConfig interacts with the Linux audit daemon on target machines.
...
Note: When “Configure Auditd” is enabled, opConfig will automatically deploy audit rules to /etc/audit/rules.d/file-integrity.rules on the target system and reload the audit daemon. The Credential Set used to access the target server should be configured to allow sudo via it’s privileged password setting.
Windows: ACL Settings
These settings control how opConfig manages Windows audit ACLs (Access Control Lists) on target directories.
...
Note: “Force Set ACLs” will rewrite all audit ACLs for monitored directories. Only enable this to recover from a known configuration issue, then disable it again after the next successful run.
Managing Monitored Paths
The core of FIM configuration is the list of files and directories you wish to monitor. The FIM editor provides several ways to manage this list.
Adding a Single Path
...
Click “+ Add Path” in the Monitored Files and Directories toolbar.
Enter the full file path:
Linux: Must begin with / (e.g.,
/etc/passwd,/usr/local/omk/conf/opCommon.json).Windows: Must begin with a drive letter (e.g.,
C:\Windows\System32\config\SAM) or a UNC path (e.g.,\\server\share\file.txt).
Set the “Alert Level” for this path (see Alert Levels).
Linux only: Configure the Audit Monitoring Options (Read, Write, Execute, Attributes).
Click “Save”.
Bulk Add
...
To add many paths at once:
Click “Bulk Add” in the toolbar.
Paste file paths into the text area, one path per line.
Alternatively, paste CSV data. The system auto-detects CSV format. CSV columns:
Linux: path, alert, read, write, execute, attributes
Windows: path, alert
Headers are optional and auto-detected.
Set default audit rules and alert level for all imported paths (these apply in simple text mode; CSV mode uses the values from each row).
Optionally check “Overwrite existing paths” to update paths that already exist in the list.
Click “Add”.
Editing Paths
Click the edit icon on any row in the table to modify its path, alert level, or audit settings.
Bulk Editing
...
To change settings on multiple paths at once:
...
Note: You will receive warnings post-import if duplicate paths exist, or paths are invalid
Deleting Paths
Click the delete icon on a single row, or select multiple rows and click “Delete Selected”.
Confirm the deletion prompt.
Exporting Paths
Click Export in the toolbar to download the current path list as a CSV file. This is useful for backup, auditing, or transferring configurations between Command Sets.
Searching Paths
Use the search box in the toolbar to filter the displayed paths. This filters the table view and does not affect the saved configuration.
Alert Levels
Each monitored path is assigned an alert level that determines the severity of alerts raised when changes are detected.
The alert level maps to the priority of events created in opEvents.
Audit Monitoring Options (Linux Only)
On Linux systems, FIM integrates with the auditd (Linux Audit Daemon) to provide granular monitoring of file access operations. When “Configure Auditd” is enabled, opConfig deploys audit rules to the target system that track the following types of operations:
...
Note: These per-path audit options are not available in Windows mode. Windows audit monitoring is handled through ACLs and the Windows Security Event Log, which monitors a broad set of access types automatically.
Preparing Target Machines
Linux Prerequisites
For FIM to function correctly on Linux target systems, the following must be in place:
SSH Access
The opConfig server must be able to reach the target node via SSH.
A valid credential set must be configured in opConfig for the target node, with either:
SSH key-based authentication (recommended), or
Password-based authentication.
Sudo Privileges
If auditd configuration is enabled the SSH user must have sudo access on the target machine. This can be configured as:
Always privileged: The user has passwordless sudo via
sudoersconfiguration.Password privileged: The user can elevate using their password via
sudo.
Auditd Installation and Configuration
If you wish to configure FIM to use auditd, it must be installed and running on the target system, and:
...
Note: The file /etc/audit/rules.d/file-integrity.rules is managed by opConfig. Manual edits to this file may be overwritten on the next collection run.
Stat Command
The stat utility must be available at the standard path. opConfig uses stat -c to retrieve file metadata. This should be included by default on your Linux system.
Windows Prerequisites
For FIM to function correctly on Windows target systems:
WMI Access
The opConfig server must be able to query WMI on the target system.
A valid credential set must be configured with a Windows domain account that has WMI read access.
WinRM Access
For audit event retrieval, WinRM must be enabled on the target Windows system.
The opConfig server uses WinRM to execute PowerShell commands that query the Windows Security Event Log.
Windows Audit Policy
For change detection to identify which users modified files, Object Access auditing must be enabled on the Windows target.
ACL Configuration
When “Set ACLs” is enabled in the Command Set (recommended), opConfig will automatically configure audit ACLs on the parent directories of monitored files during the first collection run. This sets up the necessary Windows audit entries so that file access events are recorded in the Security Event Log.
ACLs are only applied to directories that haven’t been configured in a previous run (unless “Force Set ACLs” is enabled).
The credential used must have permission to modify audit ACLs on the target directories.
Viewing Results in opConfig
FIM results are viewed through the standard opConfig interface, as the data is stored as Command Set revisions.
Command Set Output
After the FIM Command Set runs, you can view the collected data in the Command Set revision output. The output is structured JSON containing:
Summary: Total count of monitored files, how many exist, and how many were not found.
Per-file details:
File path
Status (EXISTS / DOES NOT EXIST)
Creation date and time
Last modification date and time
File size (human-readable)
Ownership (user:group on Linux, owner on Windows)
File permissions
Modification status (UNCHANGED, MODIFIED, CREATED, DELETED, MISSING, FIRST_SEEN)
Audit information (who made changes, what operation, when)
Derived Data Table
The processing plugin produces a “File Integrity Status” derived data table with the following columns:
...
Additionally, a “File Count” summary table shows the number of files found, not found, and total.
Limitations
FIM detects changes on each collection cycle. Changes that occur between polls are detected at the next collection run, not in real-time. The audit trail helps identify what happened between runs.
FIM monitors file metadata (size, timestamps, permissions) rather than file content. Two files with different content but the same metadata would not be detected as changed.
When a directory path is monitored, only operations on the directory itself are tracked (not its contents). To monitor all files within a directory, each file must be added individually.
While there is no hard limit on the number of monitored paths, monitoring a very large number of files (hundreds+) will increase collection time. Consider the Plugin Interaction Timeout setting.
On the first collection run, there is no previous baseline for comparison. Files will show as FIRST_SEEN. Change detection begins from the second run onward.
You cannot mix Linux and Windows nodes in a single Command Set. Create separate Command Sets for each OS family.
Command sets can be edited manually for additional (command set specific) options. The UI will not overwrite settings in the json file which it doesn't itself use.