File Integrity Monitoring Overview

What Is File Integrity Monitoring?

File integrity monitoring (FIM) monitors key files and directories on servers in real time; records file or directory creation, modification, deletion, and moving; and records and reports alarms on file or directory attribute modification, helping you detect suspicious changes in a timely manner.

File Integrity Monitoring Principles

HSS checks for suspicious changes by comparing the previous and current statuses of a file.

File Integrity Monitoring Scope

The monitored items and scope vary depending on the OS.

Linux file integrity monitoring checks:

Important file integrity
Monitor and record important system files (such as ls, ps, login, and top) in real time, and generate alarms if these files are modified. For more information, see Table 1.
Important file directory change
Monitor system files or directories; record file or directory creation, modification, deletion, and moving; and record and report file or directory attribute modification, helping you detect suspicious changes in a timely manner. For details about the default monitoring paths in conservative mode, see Table 2. For details about the default monitoring paths in sensitive mode, see Table 3.

To add or remove monitored files or directories, modify the settings of File Integrity and Important File Directory Change in the File Protection policy. For details, see Configuring Policies.

**Table 1** Default paths for Linux file integrity checks
Type	File Path
bin	/bin/ls /bin/ps /bin/bash /bin/login
usr	/usr/bin/ls /usr/bin/ps /usr/bin/bash /usr/bin/login /usr/bin/passwd /usr/bin/top /usr/bin/killall /usr/bin/ssh /usr/bin/wget /usr/bin/curl

**Table 2** Default Linux paths for key file and directory change monitoring (conservative mode)
File or Directory Path	Alias	Monitored Objects/Operations
File or Directory Path	Alias	Subdirectory	Creation	Property Modification	Deletion	Moving	Modification
/etc/rc.d/rc.local	rx-local	×	√	×	√	√	√
/etc/crontab	crontab	×	√	×	√	√	√
/var/spool/cron/root	spool-cron	×	√	×	√	√	√
/var/spool/cron/crontabs/root	spool-cron	×	√	×	√	√	√
/etc/cron.allow	cron-allow	×	√	×	√	√	√
/etc/passwd	passwd	×	√	×	√	√	√
/etc/profile.d/zzz_euleros_history.sh	zzz_euleros_history_sh	×	√	×	√	√	√
/etc/profile	profile	×	√	×	√	√	√
/root/.bashrc	bashrc	×	√	×	√	√	√
/root/.bash_profile	bash_profile	×	√	×	√	√	√
/root/.cshrc	cshrc	×	√	×	√	√	√
/etc/ld.so.preload	so_preload	×	√	×	√	√	√
/etc/profile.d/sec_euleros_history.sh	sec_euleros_history_sh	×	√	×	√	√	√
/etc/shells	shells	×	√	×	√	√	√
/usr/sbin/adduser	usr_sbin_adduser	×	√	×	√	√	√
/usr/sbin/chkconfig	usr_sbin_chkconfig	×	√	×	√	√	√
/usr/sbin/chroot	usr_sbin_chroot	×	√	×	√	√	√
/usr/sbin/depmod	usr_sbin_depmod	×	√	×	√	√	√
/usr/sbin/fsck	usr_sbin_fsck	×	√	×	√	√	√
/usr/sbin/fuser	usr_sbin_fuser	×	√	×	√	√	√
/usr/sbin/groupadd	usr_sbin_groupadd	×	√	×	√	√	√
/usr/sbin/groupdel	usr_sbin_groupdel	×	√	×	√	√	√
/usr/sbin/groupmod	usr_sbin_groupmod	×	√	×	√	√	√
/usr/sbin/grpck	usr_sbin_grpck	×	√	×	√	√	√
/usr/sbin/ifconfig	usr_sbin_ifconfig	×	√	×	√	√	√
/usr/sbin/ifdown	usr_sbin_ifdown	×	√	×	√	√	√
/usr/sbin/ifup	usr_sbin_ifup	×	√	×	√	√	√
/usr/sbin/init	usr_sbin_init	×	√	×	√	√	√
/usr/sbin/insmod	usr_sbin_insmod	×	√	×	√	√	√
/usr/sbin/ip	usr_sbin_ip	×	√	×	√	√	√
/usr/sbin/lsmod	usr_sbin_lsmod	×	√	×	√	√	√
/usr/sbin/lsof	usr_sbin_lsof	×	√	×	√	√	√
/usr/sbin/modinfo	usr_sbin_modinfo	×	√	×	√	√	√
/usr/sbin/modprobe	usr_sbin_modprobe	×	√	×	√	√	√
/usr/sbin/nologin	usr_sbin_nologin	×	√	×	√	√	√
/usr/sbin/pwck	usr_sbin_pwck	×	√	×	√	√	√
/usr/sbin/rmmod	usr_sbin_rmmod	×	√	×	√	√	√
/usr/sbin/route	usr_sbin_route	×	√	×	√	√	√
/usr/sbin/rsyslogd	usr_sbin_rsyslogd	×	√	×	√	√	√
/usr/sbin/runlevel	usr_sbin_runlevel	×	√	×	√	√	√
/usr/sbin/sestatus	usr_sbin_sestatus	×	√	×	√	√	√
/usr/sbin/sshd	usr_sbin_sshd	×	√	×	√	√	√
/usr/sbin/sulogin	usr_sbin_sulogin	×	√	×	√	√	√
/usr/sbin/sysctl	usr_sbin_sysctl	×	√	×	√	√	√
/usr/sbin/useradd	usr_sbin_useradd	×	√	×	√	√	√
/usr/sbin/userdel	usr_sbin_userdel	×	√	×	√	√	√
/usr/sbin/usermod	usr_sbin_usermod	×	√	×	√	√	√
/usr/sbin/vipw	usr_sbin_vipw	×	√	×	√	√	√
/usr/bin/awk	usr_bin_awk	×	√	×	√	√	√
/usr/bin/basename	usr_bin_basename	×	√	×	√	√	√
/usr/bin/bash	usr_bin_bash	×	√	×	√	√	√
/usr/bin/cat	usr_bin_cat	×	√	×	√	√	√
/usr/bin/chattr	usr_bin_chattr	×	√	×	√	√	√
/usr/bin/chmod	usr_bin_chmod	×	√	×	√	√	√
/usr/bin/chown	usr_bin_chown	×	√	×	√	√	√
/usr/bin/cp	usr_bin_cp	×	√	×	√	√	√
/usr/bin/curl	usr_bin_curl	×	√	×	√	√	√
/usr/bin/cut	usr_bin_cut	×	√	×	√	√	√
/usr/bin/date	usr_bin_date	×	√	×	√	√	√
/usr/bin/df	usr_bin_df	×	√	×	√	√	√
/usr/bin/diff	usr_bin_diff	×	√	×	√	√	√
/usr/bin/dirname	usr_bin_dirname	×	√	×	√	√	√
/usr/bin/dmesg	usr_bin_dmesg	×	√	×	√	√	√
/usr/bin/du	usr_bin_du	×	√	×	√	√	√
/usr/bin/echo	usr_bin_echo	×	√	×	√	√	√
/usr/bin/ed	usr_bin_ed	×	√	×	√	√	√
/usr/bin/egrep	usr_bin_egrep	×	√	×	√	√	√
/usr/bin/env	usr_bin_env	×	√	×	√	√	√
/usr/bin/fgrep	usr_bin_fgrep	×	√	×	√	√	√
/usr/bin/file	usr_bin_file	×	√	×	√	√	√
/usr/bin/find	usr_bin_find	×	√	×	√	√	√
/usr/bin/grep	usr_bin_grep	×	√	×	√	√	√
/usr/bin/groups	usr_bin_groups	×	√	×	√	√	√
/usr/bin/head	usr_bin_head	×	√	×	√	√	√
/usr/bin/id	usr_bin_id	×	√	×	√	√	√
/usr/bin/ipcs	usr_bin_ipcs	×	√	×	√	√	√
/usr/bin/kill	usr_bin_kill	×	√	×	√	√	√
/usr/bin/killall	usr_bin_killall	×	√	×	√	√	√
/usr/bin/last	usr_bin_last	×	√	×	√	√	√
/usr/bin/lastlog	usr_bin_lastlog	×	√	×	√	√	√
/usr/bin/ldd	usr_bin_ldd	×	√	×	√	√	√
/usr/bin/less	usr_bin_less	×	√	×	√	√	√
/usr/bin/logger	usr_bin_logger	×	√	×	√	√	√
/usr/bin/login	usr_bin_login	×	√	×	√	√	√
/usr/bin/ls	usr_bin_ls	×	√	×	√	√	√
/usr/bin/lsattr	usr_bin_lsattr	×	√	×	√	√	√
/usr/bin/mail	usr_bin_mail	×	√	×	√	√	√
/usr/bin/md5sum	usr_bin_md5sum	×	√	×	√	√	√
/usr/bin/mktemp	usr_bin_mktemp	×	√	×	√	√	√
/usr/bin/more	usr_bin_more	×	√	×	√	√	√
/usr/bin/mount	usr_bin_mount	×	√	×	√	√	√
/usr/bin/mv	usr_bin_mv	×	√	×	√	√	√
/usr/bin/netstat	usr_bin_netstat	×	√	×	√	√	√
/usr/bin/newgrp	usr_bin_newgrp	×	√	×	√	√	√
/usr/bin/passwd	usr_bin_passwd	×	√	×	√	√	√
/usr/bin/perl	usr_bin_perl	×	√	×	√	√	√
/usr/bin/pgrep	usr_bin_pgrep	×	√	×	√	√	√
/usr/bin/ping	usr_bin_ping	×	√	×	√	√	√
/usr/bin/pkill	usr_bin_pkill	×	√	×	√	√	√
/usr/bin/ps	usr_bin_ps	×	√	×	√	√	√
/usr/bin/pstree	usr_bin_pstree	×	√	×	√	√	√
/usr/bin/pwd	usr_bin_pwd	×	√	×	√	√	√
/usr/bin/readlink	usr_bin_readlink	×	√	×	√	√	√
/usr/bin/rpm	usr_bin_rpm	×	√	×	√	√	√
/usr/bin/runcon	usr_bin_runcon	×	√	×	√	√	√
/usr/bin/sed	usr_bin_sed	×	√	×	√	√	√
/usr/bin/sh	usr_bin_sh	×	√	×	√	√	√
/usr/bin/sha1sum	usr_bin_sha1sum	×	√	×	√	√	√
/usr/bin/sha224sum	usr_bin_sha224sum	×	√	×	√	√	√
/usr/bin/sha256sum	usr_bin_sha256sum	×	√	×	√	√	√
/usr/bin/sha384sum	usr_bin_sha384sum	×	√	×	√	√	√
/usr/bin/sha512sum	usr_bin_sha512sum	×	√	×	√	√	√
/usr/bin/size	usr_bin_size	×	√	×	√	√	√
/usr/bin/sort	usr_bin_sort	×	√	×	√	√	√
/usr/bin/ssh	usr_bin_ssh	×	√	×	√	√	√
/usr/bin/stat	usr_bin_stat	×	√	×	√	√	√
/usr/bin/strace	usr_bin_strace	×	√	×	√	√	√
/usr/bin/strings	usr_bin_strings	×	√	×	√	√	√
/usr/bin/su	usr_bin_su	×	√	×	√	√	√
/usr/bin/sudo	usr_bin_sudo	×	√	×	√	√	√
/usr/bin/tail	usr_bin_tail	×	√	×	√	√	√
/usr/bin/test	usr_bin_test	×	√	×	√	√	√
/usr/bin/top	usr_bin_top	×	√	×	√	√	√
/usr/bin/touch	usr_bin_touch	×	√	×	√	√	√
/usr/bin/tr	usr_bin_tr	×	√	×	√	√	√
/usr/bin/uname	usr_bin_uname	×	√	×	√	√	√
/usr/bin/uniq	usr_bin_uniq	×	√	×	√	√	√
/usr/bin/users	usr_bin_users	×	√	×	√	√	√
/usr/bin/vmstat	usr_bin_vmstat	×	√	×	√	√	√
/usr/bin/w	usr_bin_w	×	√	×	√	√	√
/usr/bin/watch	usr_bin_watch	×	√	×	√	√	√
/usr/bin/wc	usr_bin_wc	×	√	×	√	√	√
/usr/bin/wget	usr_bin_wget	×	√	×	√	√	√
/usr/bin/whatis	usr_bin_whatis	×	√	×	√	√	√
/usr/bin/whereis	usr_bin_whereis	×	√	×	√	√	√
/usr/bin/which	usr_bin_which	×	√	×	√	√	√
/usr/bin/who	usr_bin_who	×	√	×	√	√	√
/usr/bin/whoami	usr_bin_whoami	×	√	×	√	√	√
/usr/bin/numfmt	usr_bin_numfmt	×	√	×	√	√	√
/usr/bin/kmod	usr_bin_kmod	×	√	×	√	√	√
/usr/bin/systemctl	usr_bin_systemctl	×	√	×	√	√	√
/usr/bin/gawk	usr_bin_gawk	×	√	×	√	√	√
/usr/bin/mailx	usr_bin_mailx	×	√	×	√	√	√
/usr/lib/systemd/systemd	usr_lib_systemd_systemd	×	√	×	√	√	√
/usr/bin/nmcli	usr_bin_nmcli	×	√	×	√	√	√
/usr/bin/scp	usr_bin_scp	×	√	×	√	√	√
/usr/bin/tar	usr_bin_tar	×	√	×	√	√	√
/usr/bin/chfn	usr_bin_chfn	×	√	×	√	√	√
/usr/bin/chsh	usr_bin_chsh	×	√	×	√	√	√
/usr/bin/crontab	usr_bin_crontab	×	√	×	√	√	√
/usr/sbin/pidof	usr_sbin_pidof	×	√	×	√	√	√
/usr/bin/slogin	usr_bin_slogin	×	√	×	√	√	√
/usr/sbin/sendmail	usr_sbin_sendmail	×	√	×	√	√	√
/usr/sbin/tcpdump	usr_sbin_tcpdump	×	√	×	√	√	√
/sbin/adduser	sbin_adduser	×	√	×	√	√	√
/sbin/chkconfig	sbin_chkconfig	×	√	×	√	√	√
/sbin/chroot	sbin_chroot	×	√	×	√	√	√
/sbin/depmod	sbin_depmod	×	√	×	√	√	√
/sbin/fsck	sbin_fsck	×	√	×	√	√	√
/sbin/fuser	sbin_fuser	×	√	×	√	√	√
/sbin/groupadd	sbin_groupadd	×	√	×	√	√	√
/sbin/groupdel	sbin_groupdel	×	√	×	√	√	√
/sbin/groupmod	sbin_groupmod	×	√	×	√	√	√
/sbin/grpck	sbin_grpck	×	√	×	√	√	√
/sbin/ifconfig	sbin_ifconfig	×	√	×	√	√	√
/sbin/ifdown	sbin_ifdown	×	√	×	√	√	√
/sbin/ifup	sbin_ifup	×	√	×	√	√	√
/sbin/init	sbin_init	×	√	×	√	√	√
/sbin/insmod	sbin_insmod	×	√	×	√	√	√
/sbin/ip	sbin_ip	×	√	×	√	√	√
/sbin/lsmod	sbin_lsmod	×	√	×	√	√	√
/sbin/lsof	sbin_lsof	×	√	×	√	√	√
/sbin/modinfo	sbin_modinfo	×	√	×	√	√	√
/sbin/modprobe	sbin_modprobe	×	√	×	√	√	√
/sbin/nologin	sbin_nologin	×	√	×	√	√	√
/sbin/pwck	sbin_pwck	×	√	×	√	√	√
/sbin/rmmod	sbin_rmmod	×	√	×	√	√	√
/sbin/route	sbin_route	×	√	×	√	√	√
/sbin/rsyslogd	sbin_rsyslogd	×	√	×	√	√	√
/sbin/runlevel	sbin_runlevel	×	√	×	√	√	√
/sbin/sestatus	sbin_sestatus	×	√	×	√	√	√
/sbin/sshd	sbin_sshd	×	√	×	√	√	√
/sbin/sulogin	sbin_sulogin	×	√	×	√	√	√
/sbin/sysctl	sbin_sysctl	×	√	×	√	√	√
/sbin/useradd	sbin_useradd	×	√	×	√	√	√
/sbin/userdel	sbin_userdel	×	√	×	√	√	√
/sbin/usermod	sbin_usermod	×	√	×	√	√	√
/sbin/vipw	sbin_vipw	×	√	×	√	√	√
/sbin/pidof	sbin_pidof	×	√	×	√	√	√
/sbin/sendmail	sbin_sendmail	×	√	×	√	√	√
/sbin/tcpdump	sbin_tcpdump	×	√	×	√	√	√
/usr/bin/vdir	usr_bin_vdir	×	√	×	√	√	√
/usr/bin/write	usr_bin_write	×	√	×	√	√	√
/bin/awk	bin_awk	×	√	×	√	√	√
/bin/basename	bin_basename	×	√	×	√	√	√
/bin/bash	bin_bash	×	√	×	√	√	√
/bin/cat	bin_cat	×	√	×	√	√	√
/bin/chattr	bin_chattr	×	√	×	√	√	√
/bin/chmod	bin_chmod	×	√	×	√	√	√
/bin/chown	bin_chown	×	√	×	√	√	√
/bin/cp	bin_cp	×	√	×	√	√	√
/bin/curl	bin_curl	×	√	×	√	√	√
/bin/cut	bin_cut	×	√	×	√	√	√
/bin/date	bin_date	×	√	×	√	√	√
/bin/df	bin_df	×	√	×	√	√	√
/bin/diff	bin_diff	×	√	×	√	√	√
/bin/dirname	bin_dirname	×	√	×	√	√	√
/bin/dmesg	bin_dmesg	×	√	×	√	√	√
/bin/du	bin_du	×	√	×	√	√	√
/bin/echo	bin_echo	×	√	×	√	√	√
/bin/ed	bin_ed	×	√	×	√	√	√
/bin/egrep	bin_egrep	×	√	×	√	√	√
/bin/env	bin_env	×	√	×	√	√	√
/bin/fgrep	bin_fgrep	×	√	×	√	√	√
/bin/file	bin_file	×	√	×	√	√	√
/bin/find	bin_find	×	√	×	√	√	√
/bin/grep	bin_grep	×	√	×	√	√	√
/bin/groups	bin_groups	×	√	×	√	√	√
/bin/head	bin_head	×	√	×	√	√	√
/bin/id	bin_id	×	√	×	√	√	√
/bin/ipcs	bin_ipcs	×	√	×	√	√	√
/bin/kill	bin_kill	×	√	×	√	√	√
/bin/killall	bin_killall	×	√	×	√	√	√
/bin/last	bin_last	×	√	×	√	√	√
/bin/lastlog	bin_lastlog	×	√	×	√	√	√
/bin/ldd	bin_ldd	×	√	×	√	√	√
/bin/less	bin_less	×	√	×	√	√	√
/bin/logger	bin_logger	×	√	×	√	√	√
/bin/login	bin_login	×	√	×	√	√	√
/bin/ls	bin_ls	×	√	×	√	√	√
/bin/lsattr	bin_lsattr	×	√	×	√	√	√
/bin/mail	bin_mail	×	√	×	√	√	√
/bin/md5sum	bin_md5sum	×	√	×	√	√	√
/bin/mktemp	bin_mktemp	×	√	×	√	√	√
/bin/more	bin_more	×	√	×	√	√	√
/bin/mount	bin_mount	×	√	×	√	√	√
/bin/mv	bin_mv	×	√	×	√	√	√
/bin/netstat	bin_netstat	×	√	×	√	√	√
/bin/newgrp	bin_newgrp	×	√	×	√	√	√
/bin/passwd	bin_passwd	×	√	×	√	√	√
/bin/perl	bin_perl	×	√	×	√	√	√
/bin/pgrep	bin_pgrep	×	√	×	√	√	√
/bin/ping	bin_ping	×	√	×	√	√	√
/bin/pkill	bin_pkill	×	√	×	√	√	√
/bin/ps	bin_ps	×	√	×	√	√	√
/bin/pstree	bin_pstree	×	√	×	√	√	√
/bin/pwd	bin_pwd	×	√	×	√	√	√
/bin/readlink	bin_readlink	×	√	×	√	√	√
/bin/rpm	bin_rpm	×	√	×	√	√	√
/bin/runcon	bin_runcon	×	√	×	√	√	√
/bin/sed	bin_sed	×	√	×	√	√	√
/bin/sh	bin_sh	×	√	×	√	√	√
/bin/sha1sum	bin_sha1sum	×	√	×	√	√	√
/bin/sha224sum	bin_sha224sum	×	√	×	√	√	√
/bin/sha256sum	bin_sha256sum	×	√	×	√	√	√
/bin/sha384sum	bin_sha384sum	×	√	×	√	√	√
/bin/sha512sum	bin_sha512sum	×	√	×	√	√	√
/bin/size	bin_size	×	√	×	√	√	√
/bin/sort	bin_sort	×	√	×	√	√	√
/bin/ssh	bin_ssh	×	√	×	√	√	√
/bin/stat	bin_stat	×	√	×	√	√	√
/bin/strace	bin_strace	×	√	×	√	√	√
/bin/strings	bin_strings	×	√	×	√	√	√
/bin/su	bin_su	×	√	×	√	√	√
/bin/sudo	bin_sudo	×	√	×	√	√	√
/bin/tail	bin_tail	×	√	×	√	√	√
/bin/test	bin_test	×	√	×	√	√	√
/bin/top	bin_top	×	√	×	√	√	√
/bin/touch	bin_touch	×	√	×	√	√	√
/bin/tr	bin_tr	×	√	×	√	√	√
/bin/uname	bin_uname	×	√	×	√	√	√
/bin/uniq	bin_uniq	×	√	×	√	√	√
/bin/users	bin_users	×	√	×	√	√	√
/bin/vmstat	bin_vmstat	×	√	×	√	√	√
/bin/w	bin_w	×	√	×	√	√	√
/bin/watch	bin_watch	×	√	×	√	√	√
/bin/wc	bin_wc	×	√	×	√	√	√
/bin/wget	bin_wget	×	√	×	√	√	√
/bin/whatis	bin_whatis	×	√	×	√	√	√
/bin/whereis	bin_whereis	×	√	×	√	√	√
/bin/which	bin_which	×	√	×	√	√	√
/bin/who	bin_who	×	√	×	√	√	√
/bin/whoami	bin_whoami	×	√	×	√	√	√
/bin/numfmt	bin_numfmt	×	√	×	√	√	√
/bin/kmod	bin_kmod	×	√	×	√	√	√
/bin/systemctl	bin_systemctl	×	√	×	√	√	√
/bin/gawk	bin_gawk	×	√	×	√	√	√
/bin/mailx	bin_mailx	×	√	×	√	√	√
/bin/nmcli	bin_nmcli	×	√	×	√	√	√
/bin/scp	bin_scp	×	√	×	√	√	√
/bin/tar	bin_tar	×	√	×	√	√	√
/bin/chfn	bin_chfn	×	√	×	√	√	√
/bin/chsh	bin_chsh	×	√	×	√	√	√
/bin/crontab	bin_crontab	×	√	×	√	√	√
/bin/slogin	bin_slogin	×	√	×	√	√	√
/bin/vdir	bin_vdir	×	√	×	√	√	√
/bin/write	bin_write	×	√	×	√	√	√

**Table 3** Default Linux paths for key file and directory change monitoring (sensitive mode)
File or Directory Path	Alias	Monitored Objects/Operations
File or Directory Path	Alias	Subdirectory	Creation	Property Modification	Deletion	Moving	Modification
/etc/init.d	startup	√	√	√	√	√	√
/etc/rc.d/init.d	rc-startup	√	√	√	√	√	√
/etc/rc.d/rc.local	rx-local	×	√	√	√	√	√
/etc/systemd/system	system	√	√	√	√	√	√
/etc/systemd/user	user	√	√	√	√	√	√
/etc/crontab	crontab	×	√	√	√	√	√
/var/spool/cron	spool-cron	×	√	√	√	√	√
/etc/cron.daily	cron-daily	√	√	√	√	√	√
/etc/cron.hourly	cron-hourly	√	√	√	√	√	√
/etc/cron.monthly	cron.monthly	√	√	√	√	√	√
/etc/cron.weekly	cron.weekly	√	√	√	√	√	√
/etc/cron.allow	cron.allow	×	√	√	√	√	√
/etc/passwd	passwd	×	√	√	√	√	√
/etc/profile.d/zzz_euleros_history.sh	zzz_euleros_history.sh	×	√	√	√	√	√
/etc/profile	profile	×	√	√	√	√	√
/root/.bashrc	bashrc	×	√	√	√	√	√
/root/.bash_profile	bash_profile	×	√	√	√	√	√
/root/.cshrc	cshrc	×	√	√	√	√	√
/etc/ld.so.preload	so.preload	×	√	√	√	√	√
/etc/profile.d/sec_euleros_history.sh	sec_euleros_history_sh	×	√	√	√	√	√
/etc/shells	shells	×	√	√	√	√	√
/usr/bin	bin	×	√	√	√	√	√
/bin	bin	×	√	√	√	√	√
/usr/sbin	sbin	×	√	√	√	√	√
/sbin	sbin	×	√	√	√	√	√
/usr/lib	lib	×	√	√	√	√	√
/lib	lib	×	√	√	√	√	√
/usr/lib64	lib64	×	√	√	√	√	√
/lib64	lib64	×	√	√	√	√	√

Windows file integrity monitoring checks system files and directories; records file or directory creation, modification, deletion, and moving; and records and reports file or directory attribute changes, helping you detect suspicious changes in a timely manner. For more information, see Table 4.

You can modify the File Protection policy to add or delete monitored files or directories. For details, see Configuring Policies.

**Table 4** Default Windows paths for key file and directory change monitoring
File or Directory Path	Alias	Monitored Objects/Operations
File or Directory Path	Alias	Subdirectory	File Name Extension	Creation	Deletion	Moving	Modification
c:\Windows	windows	×	exe, dll, ocx, sys, cmd, com, vbs, bat	√	√	√	√
C:\Windows\System32	system32	×	exe, dll, ocx, sys, cmd, com, vbs, bat	√	√	√	√
C:\Windows\SysWOW64	SysWOW64	×	exe, dll, ocx, sys, cmd, com, vbs, bat	√	√	√	√
C:\Windows\System32\drivers	drivers	×	sys	√	√	√	√
C:\Windows\System32\drivers\etc	etc	×	None	√	√	√	√

Notes and Constraints

File integrity management is available in HSS professional, enterprise, premium, WTP, and container editions. For details about how to purchase and upgrade HSS, see Purchasing an HSS Quota and Upgrading a Protection Quota.

References

After the file integrity monitoring scope is set, you can periodically check whether file change events are reported. For details, see Checking File Change Events.

Parent Topic: File Integrity Monitoring

Previous topic: File Integrity Monitoring

Next topic: Checking File Change Events