Contributed by Google employees.

This example provides a basic FIM Docker image with regularly scheduled scans.

This example is designed to be run on Google Container-Optimized OS, but it will work with most other Docker servers.

basic-fim is an open source file integrity monitoring application that monitors for files that are new, altered, or deleted.

Docker Usage

1. Modify the following script to define your data directory and the path to monitor:

   BASEDIR="/YOUR_DOCKER_APP_DATA_PATH/fim"
   NAME=fim
   IMAGE=ianmaddox/basic-fim
   TAG=latest
   FIM_DIR=/PATH/TO/MONITOR
   
   docker stop $NAME
   docker rm $NAME
   docker pull $IMAGE:$TAG
   docker create \
     --name $NAME \
     -v $BASEDIR/logs:/logs \
     -v $BASEDIR/data:/root/.fim \
     -v $FIM_DIR:/host-fs:ro \
     -e FIM_IGNORE_PATH="*/tmp/*" \
     -e FIM_THREADS="8" \
     -e FIM_PATH="/host-fs" \
     -e TZ="America/Los_Angeles" \
     $IMAGE:$TAG
   

2. Define and override environment variables (listed below) as needed.

3. Launch the container.

4. Monitor the logs.

Kubernetes Usage

1. Override environment variables shown below as needed.
2. Build your Docker image.
3. Deploy that image to your Kubernetes cluster.
4. Use Daemonsets to configure the new workload to run one scanner pod per node.
5. Ensure that scan-required paths within other pods are mounted as named volumes so they will be included in the scan of the node.

Environment variables

For more information, see Installing antivirus and file integrity monitoring on Container-Optimized OS.