On-premises file change monitoring

File integrity monitoring across Windows, macOS, and Linux endpoints and file servers — audit-ready evidence for SOC 2, HIPAA, NIST, CMMC, and cyber-insurance.

File integrity monitoring (FIM) is the discipline of detecting unauthorised changes to files on servers and workstations — system binaries, configuration files, scheduled-task definitions, service registrations, and the contents of regulated data shares. It is a named control under PCI DSS (Requirement 11.5), HIPAA (45 CFR § 164.312(c)), NIST SP 800-171 (3.14), CMMC 2.0 (SI.L2-3.14), and most cyber-insurance technical questionnaires. The auditor's question is the same in every framework: how would you know if something on this server changed?

Lavawall®'s cross-platform agent answers the question on every Windows, macOS, and Linux endpoint and server it manages. Creates, writes, deletes, renames, and ACL changes are captured at the OS level, attributed to the actor where the OS exposes that information, and surfaced in the change feed alongside the rest of Lavawall®'s security signals. The same agent also captures event-log activity (Windows Event Log, macOS unified log, Linux journald) so a file change can be correlated with the sign-in or process that produced it.

What it monitors

  • System-critical paths by default. Windows: %SystemRoot%\System32, Program Files, scheduled-task and service binaries, the registry hives that control persistence. Linux: /etc, /usr/bin, /usr/sbin, /etc/cron.d, /etc/systemd/system. macOS: /System, /usr, /Library, /private/etc, LaunchDaemons.
  • Client-specific paths. Add a shared file server's accounting drive, a clinical record store, a software-development repository, or any other regulated location. Per-tenant configuration; no agent redeployment to extend coverage.
  • Windows file shares. The Lavawall® agent on a Windows file server captures the Windows Security event log entries for share access (events 5140 and 5145) alongside the local file-system change events. The MSP sees both layers correlated — who connected to the share, from which IP, and which files they touched.
  • Linux file shares. Both NFS-exported and Samba-exported directories are covered through the Linux audit subsystem (auditd) and inotify. Read-event coverage is configurable per path because it generates more event volume than write coverage.
  • ACL and permission changes. The most attacker-friendly file change is the one that opens an existing file to a new user. ACL changes are first-class events in the change feed, attributed to the actor that issued the change.
  • Antivirus-tampering detection. Defender exclusions added at the file-system level, AV service binaries renamed or deleted, and similar tampering patterns are surfaced as high-severity events.

How it works

Windows: the Lavawall® agent registers with the Windows file-system filter driver framework (no kernel driver of our own; we attach as a minifilter client) and consumes Security event log entries 4663, 4660, 4670, 5140, and 5145 for share-level activity. Events are filtered against the policy on the agent (so noisy paths like temp directories don't fill the network) and forwarded to the Lavawall® console with the actor's SID, source IP for share access, and the operation performed.

Linux: the Lavawall® agent uses the kernel auditd subsystem (for path-rooted file-event monitoring with actor attribution) and inotify (for high-throughput change detection without actor attribution where audit subsystem licensing is restricted). The two layers are stitched together by the agent so the MSP sees one consistent event list.

macOS: the Lavawall® agent uses Endpoint Security framework (Apple's supported successor to kauth) for file-event capture. No kernel extension; full notarisation; works on Apple Silicon and Intel Macs.

Event flow: the agent batches events on a configurable cadence (default 30 seconds, lower-latency available for high-priority paths) and forwards them to the Lavawall® console where they're correlated with the user-reporting, configuration-assessment, and breach-detection modules. Events feed the notifications framework for digest delivery or immediate paging.

Audit and compliance use

File integrity monitoring is one of the most-asked control questions across the frameworks Lavawall® supports. The change feed is exportable in formats the audit firms ThreeShield has worked with accept: CSV, JSON, and the Lavawall®-native evidence-bundle format. Each change carries the path, the operation, the actor (where the OS exposes it), the timestamp, and a hash of the file before and after.

The same evidence base feeds:

  • SOC 2 — CC6.6 (logical access controls) and CC7.2 (system event monitoring).
  • HIPAA Security Rule — § 164.312(c)(1) integrity controls.
  • NIST SP 800-171 / CMMC 2.0 Level 2 — SI.L2-3.14 (system and information integrity).
  • PCI DSS v4 — Requirement 11.5 (change-detection mechanism).
  • ISO 27001:2022 — A.8.16 (monitoring activities) and A.8.20 (network controls).
  • CIS Controls v8 — Safeguard 8.7 (collect URL request audit logs) and 8.11 (conduct audit log reviews).

Frequently asked

What is file integrity monitoring (FIM)?
File integrity monitoring tracks who creates, modifies, deletes, or permissions a file on a server or workstation. It is a core control under PCI DSS, HIPAA, NIST SP 800-171, CMMC, and most cyber-insurance questionnaires. Lavawall®'s file-change monitoring is the FIM control evidence MSPs need to answer those audit questions.
What is monitored?
Creates, writes, deletes, renames, and ACL changes across configured paths. The default policy covers system-critical paths (Windows system32, Program Files, scheduled-task and service binaries; Linux /etc, /usr/bin, /usr/sbin; macOS /System, /usr, /Library). MSPs can extend coverage to client-specific paths such as a shared file server's accounting drive or a clinical record store.
What about Windows file servers and SMB shares?
Yes. The Lavawall® agent on a Windows file server captures the Windows Security event log entries for file-share access (events 5140, 5145) alongside the local file-system change events. The MSP sees both layers correlated — who connected to the share, from which IP, and which files they touched.
Does this work on Linux file servers?
Yes. The Lavawall® agent uses the Linux audit subsystem (auditd) and inotify to capture file events. Both NFS-exported and Samba-exported directories are covered. The agent supports Debian and RHEL families; package signing is verified at install time.
How does this compare to Varonis or Netwrix Auditor?
Varonis and Netwrix Auditor offer deep file-activity intelligence with sensitive-data classification, file-content inspection, and long-term audit archives priced for enterprise. Lavawall® covers the FIM control evidence MSPs need for SOC 2, HIPAA, NIST, and CMMC, plus correlation with endpoint event-log analytics and identity activity — bundled with the rest of the MSP platform at MSP pricing. For most MSP-served SMB and mid-market clients, Lavawall® is the right tool. For enterprises with dedicated DLP and records-management programmes, Varonis or Netwrix may still be the better fit.