Managing FIM Policies using CRDs

This topic explains how to create, apply, and delete File Integrity Monitoring (FIM) policies using the FimPolicy 'Custom Resource Definition (CRD)' in Kubernetes. This CRD allows you to define and enforce security policies to monitor specific file operations in your Kubernetes cluster.

CRDs work with qualys-tc 2.1.0 (Unified Helm chart) and CRS version 1.0.1-0 onwards.

Prerequisites

  • A running Kubernetes cluster
  • Kubernetes CLI (kubectl) installed and configured to access your cluster

Custom Resource Definition (CRD) Overview

The FimPolicy CRD enables you to define the policies for monitoring file-based operations. You need to create a Yaml file with the following arguments.

  • Base Policy (base-policy): Specifies the file operation that you would like to perform on the specified monitor paths.
    Operations include:
    • file-open - CRS monitors events that occur when a file is opened.
    • file-read - CRS monitors events that occur when a file is read.
    • file-write - CRS monitors events that occur when a file is edited.
    • file-write-diff - CRS monitors differences when a file is modified.
    • file-rename - CRS monitors events that occur when a file is renamed.
    • file-delete - CRS monitors events that occur when a file is deleted.
  • Action (action): Specify the operation. As of today, CRS supports only one operation - 'audit'.
  • Monitor Paths (monitor-paths): Specifies the file paths or directories to be monitored. For example, /var/log OR /etc/nginx

Format of a FIM Policy

You can see a typical format of a FIM policy using which you can create a FIM policy.

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: <File name>
spec:
 base-policy: "<Base policy operation>"
 action: "audit"
 monitor-paths:
  - "<Path1>"
  - "<Path2>"

 

Operations

This section explains various CRS operations that you can perform using FIM policies. 

  1. Creating and applying a FIM Policy
  2. Viewing FIM Policies
  3. Deleting a FIM Policy

Creating and Applying a FIM Policy

Create a FimPolicy by using kubectl apply or kubectl create with a YAML manifest file. Once you create and apply the newly created Yaml file, CRS starts monitoring the targets (monitor-paths) mentioned YAML file.

Example 1: Performing File Open Operation
Create a YAML file named fim-policy-file-open.yaml

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-open
spec:
 base-policy: "file-open"
 action: “audit"
 monitor-paths:
  - "/var/log"
  - "/etc/nginx"

 

Applying the File Open policy
kubectl apply -f fim-policy-file-open.yaml

 

Example 2: Performing File Read Operation

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-read
spec:
 base-policy: "file-read"
 action: "audit"
 monitor-paths:
  - "/etc/passwd"
  - "/etc/shadow"

 


Applying the policy
kubectl apply -f fim-policy-file-read.yaml

 

Example 3: Performing File Write Operation

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-write
spec:
 base-policy: "file-write"
 action: "audit"
 monitor-paths:
  - "/var/log"

 


Applying the policy
kubectl apply -f fim-policy-file-write.yaml

 

Example 4: Performing File Write Diff Operation

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-write-diff
spec:
 base-policy: "file-write-diff"
 action: "audit"
 monitor-paths:
  - "/etc/important-config"

 


Applying the policy
kubectl apply -f fim-policy-file-write-diff.yaml

 

Example 5: Performing File Rename Operations

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-rename
spec:
 base-policy: "file-rename"
 action: "audit"
 monitor-paths:
  - "/var/log"

 


Applying the policy
kubectl apply -f fim-policy-file-rename.yaml

 

Example 6: Performing File Delete Operations

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-delete
spec:
 base-policy: "file-delete"
 action: “audit"
 monitor-paths:
  - "/var/www/html"

 


Applying the policy
kubectl apply -f fim-policy-file-delete.yaml

Viewing FIM Policies

To list all Fim Policy resources, use:
kubectl get policies.qualys.com

To view details of a specific policy, run:
kubectl describe policies.qualys.com <policy-name>
Example
kubectl describe policies.qualys.com monitor-file-open

Deleting a FIM Policy

To delete a Fim  Policy, use:
kubectl delete policies.qualys.com
Example
kubectl delete policies.qualys.com monitor-file-open

Alternatively, you can delete a policy using its YAML manifest:
kubectl delete -f fim-policy-file-open.yaml

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.