Configuring FIM Add-on for PCF

Page last updated:

This topic describes how to configure and use the File Integrity Monitoring Add-on for PCF (FIM Add-on).

Listing directories to be monitored

The FIM Add-on monitors a set of critical system directories. The list of directories to be monitored by the FIM Add-on can be configured using the fim.dirs property. The default value of fims.dir is:

    - /bin
    - /etc
    - /lib
    - /lib64
    - /opt
    - /sbin
    - /srv
    - /usr
    - /var/lib
    - /var/vcap/bosh
    - /var/vcap/data/packages
    - /var/vcap/monit/job
    - /var/vcap/data/jobs

Configure the Output Destination

FIM supports three types of output:

  • stdout: sends messages to /var/vcap/sys/log/fim/fim.stdout.log.
  • stderr: sends messages to /var/vcap/sys/log/fim/fim.stderr.log.
  • syslog: sends messages to /var/log/messages.

The output is configured using the fim.outputs property.

Note: Currently, FIM only supports selecting one output at a time.

The default value of the fim.outputs property:

    - syslog

Configure the Output Format

By default, the the FIM Add-on generates messages in the Common Event Format. Output format can be configured as a Golang text template using the fim.format property. The default value of fim.format is:

  format: "CEF:0|cloud_foundry|fim|1.0.0|{{.Map.optype}}|file integrity monitoring event|5| {{.KeyValues}}"

The FIM Add-on also supports the following variables:


The {{.Json}} string serializes an event into a standard JSON dictionary. Example:



The {{.KeyValues}} string serializes an event into a series of key=value fields. Example:

fname="/bin/binary" hostname="plymouth" opname="CREATE" optype=1 ts=1475195258


The {{.Map}} string provides attribute-level access on an event.

For example, the following variable definition:

  format: "{{.Map.fname}} {{.Map.hostname}} {{.Map.opname}} {{.Map.optype}} {{.Map.ts}}"

produces the following:

/bin/binary plymouth CREATE 1 da39a3ee5e6b4b0d3255bfef95601890afd80709 1475195574

Calculate File Hashes

The FIM Add-on supports hashing monitored files on WRITE or CREATE events using the sha256 algorithm. Hashing is disabled by default, and can be configured using the fim.digests property, as follows:

    - sha256

File Size Threshold

The FIM Add-on sets a threshold on the size of files to be hashed. Use the fim.digest_threshold property to adjust this threshold. The property takes a value in bytes. The default value is 10000000.

  digest_threshold: 10000000
Create a pull request or raise an issue on the source for this page in GitHub