File & Directory Change Monitor
(aka CIFS Monitoring, File Integrity Monitoring, FIM)
The File & Directory Change Monitor is a very powerful monitor that can
for watch changes to files and directories on a server including file and directory
creation and deletion. It can aid you in keeping track of changes to your
systems, and even act as an intrusion detection system. In particular, this
monitor can help fulfill the requirements of several mandated security
practices, such as file integrity monitoring (FIM) as described in the "Payment Card Industry Data Security Standard" (PCI DSS) (part 11.5).
When configuring the File & Directory Change Monitor, specify the starting
directory and whether the subdirectories should also be checked. If the
directory is not local to the computer, using UNC paths is required since
mapped drives are usually not available to the service when it runs.
The File & Directory Change Monitor can watch any CIFS share, which includes Windows shares, shares on a NAS device, and shares on Linux/Unix computer that were shared with the Samba daemon.
You can specify which file types (by file extension) should be monitored. There are buttons that let
you quickly add common executable file types, all files, or you can manually
add individual file types that you care about.
If you select All Files, you can then filter out certain file types by
extension. For example, knowing that temporary (.tmp) files have changed is
often not helpful.
The Monitor files for changes... is where you specify what
aspects of the files and directories you'd like to monitor. If you select File
Contents the file is opened and its entire contents are read and a checksum is
generated for later comparison. This can be resource intensive, and should
generally only be done for the smallest subset of files that will accomplish
If you indicate that subdirectories should be monitored, you have the ability to
filter out some of the subdirectories. The pattern-matching algorithm is very
simple: Before a path is scanned, a backslash "\" is appended to the end of the
path. Then the list of ignored directories is scanned and if the text of any
ignored directory can be completely found within the path to be scanned, that
directory (and all of its subdirectories) is skipped. The check is not case
Some files are always changing (some system files for example), but not enough
that you can ignore all files of that extension. You can specify individual
files to ignore during the scan.
About "Files to ignore" and Training
"Files to ignore" is a text box where you can enter the names of files that
are to be ignored by the File and Directory Change Monitor. This feature operates in
conjunction with the Training feature in order to customize the behavior of
PA Server Monitor easily.
Training is a powerful feature available on many monitors. With the File & Directory Change monitor,
the monitor will watch for changes over a period of time. Everything that changes within that
period of time is automatically added to the Files to Ignore list.
After the training period ends, the monitor automatically
switches into its normal scanning pattern.
Because "Files to ignore" is a text box, you can remove any files or add new files as you
require by editing the list of files by hand.
Standard Configuration Options
Like all monitors, this monitor has standard buttons on the right for Adding Actions,
setting Advanced Options and setting the Monitor Schedule.
All file and directory changes that can be alerted on are also recorded to a database. This database allows you to run reports on types of changes,
changes to particular files or directories, etc.