File Integrity & Firewall Configuration

Implement file integrity monitoring and secure firewall rules to comply with Sprinto's system configuration checks and reduce infrastructure security risks.

Sprinto monitors whether your systems implement critical infrastructure-level controls to detect unauthorised file changes and restrict inbound/outbound traffic. These controls are essential for safeguarding servers, production workloads, and sensitive environments from tampering and external threats.

This article covers how Sprinto tracks file integrity monitoring (FIM), firewall enforcement, and stateful inspection — along with how to resolve failing checks using evidence or configuration changes.

What is Monitored

Sprinto evaluates the following control types under this category:

File Integrity Monitoring (FIM)
- Detects unauthorised changes to critical system files
- Often implemented using agent-based tools (e.g., OSSEC, Wazuh, Tripwire)
- Typically applied to Windows and Linux servers
Firewall Ruleset Configuration
- Ensures systems and workloads are protected with defined allow/block rules
- Validates explicit rules for critical ports (e.g., 22, 80, 443)
- Monitors presence of default-deny policies
Stateful Inspection for Firewalls
- Verifies that firewalls track the state of active connections
- Ensures only legitimate responses are allowed for outbound/inbound traffic

Supported Environments

Environment

Monitored for FIM

Monitored for Firewall Rules

Windows (On-Prem / VM)

Manual Evidence

Linux Servers

Manual Evidence

AWS Security Groups

Not monitored

via AWS Configuration

Azure NSGs

Not monitored

via Diagnostic Settings

Sprinto Checks

Workflow-Based

Sprinto does not deploy agents. File integrity must be self-implemented and reported via evidence upload.

How to Resolve File Integrity Monitoring Checks

Implement a FIM tool on your servers (e.g., Wazuh, Tripwire, OSSEC)
Configure it to monitor key file paths:
- Linux: /etc/passwd, /etc/shadow, /bin
- Windows: C:\Windows\System32, registry keys, service directories
Enable daily or real-time scan and reporting
Export a screenshot or recent FIM report summary
Upload this as evidence in Sprinto

You can also share automation scripts or agent installation logs as supporting artefacts.

How to Resolve Firewall Configuration Checks

A. For Windows / Linux

Open firewall settings (Windows Defender, UFW, iptables)
Ensure the following:
- Default inbound policy is deny
- Allowed ports are explicitly listed (e.g., 443, 22)
- Logging is enabled for denied connections
Capture firewall rules using:
- netsh advfirewall show rule name=all (Windows)
- sudo iptables -L -v or ufw status verbose (Linux)
Upload a screenshot or export as evidence

B. For AWS / Azure (optional monitor context)

Review AWS Security Groups or Azure NSGs
Ensure:
- Minimal open ports
- No 0.0.0.0/0 unrestricted access unless justified
- Flow logs are enabled for inspection (via Diagnostic Settings or VPC Flow Logs)

How to Validate Stateful Inspection Configuration

If using an enterprise firewall (e.g., Palo Alto, Fortinet, pfSense):
- Access admin console
- Confirm that stateful inspection mode is enabled
- Download or screenshot the configuration summary
If using host-based firewalls, verify that outbound rules are restricted and connection states are tracked

Sprinto requires manual upload of configuration exports or annotated screenshots for these checks.

Remediating in Sprinto

Go to Monitoring > Check History
Click the check (e.g., “Stateful Firewall Not Enabled”)
Select Upload Evidence
Add comments describing the enforcement method (e.g., “Using Wazuh for FIM on all Ubuntu hosts”)
Click Mark as Resolved

Best Practices

Use a single FIM tool across all critical infrastructure
Automate alerting via SIEM or email when FIM detects a change
Maintain a hardened baseline ruleset and version it
Periodically review firewall logs for unintentional exposures

PreviousPassword Policy & Session Timeout NextChange Management & Disaster Recovery

Last updated 1 month ago