Help
Lacework
Access helpful articles and other FAQs on Lacework
Kate_M
Community Manager
Community Manager

Created on ‎09-05-2024 02:38 AM

Article Id 339234

Specifying Custom File Integrity Monitoring (FIM) Paths for the Lacework Agent to Scan

Description Specifying Custom File Integrity Monitoring (FIM) Paths for the Lacework Agent to Scan
Scope Lacework Agent
Solution

Out of the box, the Lacework Agent will perform FIM on a set of predefined files and directories determined by our security teams. However, customers have the opportunity to specify custom file and directory paths to be monitored in addition to, or in place of, those predefined by Lacework. This allows customers to monitor files and directories that are specific to their environment and/or applications.

 

You can do this in 2 ways:

 

  1. Via the Lacework console (Recommended):
    • Login to the Lacework console
    • Go to Settings > Configuration > Agent Tokens
    • Click on the row for the agent token you want to configure
    • Click the Configure tab, then click the Edit icon
    • Select the "File Integrity Monitoring Settings" dropdown
       

       

    • Scroll to "Scan paths", select "Add a path", and add your custom path in the new input box
       

       

  2. Via a "config.json" file (stored at "/var/lib/lacework/config/config.json") on a machine with an agent installed: 
    {	...	"fim":  	{  		"filepath": ["/path/to/monitored/file", "/path/to/second/file"], 		"fileignore": ["/etc/fstab"]  	},	...}

 

If using the first method, via the Lacework console, take note that the configuration changes will be applied to all machines that have the agent installed using that specific agent access token (i.e., globally). This can be useful if you want to specify custom paths for all machines that have the agent installed using that specific agent access token without having to login to each machine and modify the config.json file.

 

If you want to specify custom paths for a specific machine(s), you can do so using the second method, via the config.json file. Doing it this way will overwrite the global configuration for that particular host. However, it's important to note that as soon as you specify values for the "filepath" key, the agent will stop monitoring the default paths and only monitor the paths you specify. If you want to monitor both the default paths and your custom paths, you will need to specify the default paths in the "filepath" key as well.

 
Labels:
160
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.