Managing FIM Policies using CRDs

This topic explains how to create, apply, and delete File Integrity Monitoring (FIM) policies using the FimPolicy 'Custom Resource Definition (CRD)' in Kubernetes. This CRD allows you to define and enforce security policies to monitor specific file operations in your Kubernetes cluster.

CRDs work with qualys-tc 2.1.0 (Unified Helm chart) and CRS version 1.0.1-0 onwards.

Prerequisites

  • A running Kubernetes cluster
  • Kubernetes CLI (kubectl) installed and configured to access your cluster

Custom Resource Definition (CRD) Overview

The FimPolicy CRD enables you to define the policies for monitoring file-based operations. You need to create a Yaml file with the following arguments.

  • Base Policy (base-policy): Specifies the file operation that you would like to perform on the specified monitor paths.
    Operations include:
    • file-open - CRS monitors events that occur when a file is opened.
    • file-read - CRS monitors events that occur when a file is read.
    • file-write - CRS monitors events that occur when a file is edited.
    • file-write-diff - CRS monitors differences when a file is modified.
    • file-rename - CRS monitors events that occur when a file is renamed.
    • file-delete - CRS monitors events that occur when a file is deleted.
  • Action (action): Specify the operation. As of today, CRS supports only one operation - 'audit'.
  • Monitor Paths (monitor-paths): Specifies the file paths or directories to be monitored. For example, /var/log OR /etc/nginx

Format of a FIM Policy

You can see a typical format of a FIM policy using which you can create a FIM policy.

FIM Policy Format PCI FIM Policy Format 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: <File name>
spec:
 base-policy: "<Base policy operation>"
 action: "audit"
 monitor-paths:
  - "<Path1>"
  - "<Path2>"
 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: <File name>
spec:
 base-policy: "<Base policy operation>"
 action: "audit"
 monitor-paths:
  - "<Path1>"
  - "<Path2>"

 

Operations

This section explains various CRS operations that you can perform using FIM policies. 

  1. Creating and applying a FIM Policy
  2. Viewing FIM Policies
  3. Deleting a FIM Policy

Creating and Applying a FIM Policy

Create a FimPolicy by using kubectl apply or kubectl create with a YAML manifest file. Once you create and apply the newly created Yaml file, CRS starts monitoring the targets (monitor-paths) mentioned YAML file.

Example 1: Identifying File Open Operations

To identify file open operations using a FIM policy, 

1. Create a YAML file based on your requirement, with the following name.

  • For a FIM policy, create fim-policy-file-open.yaml
  • For a PCI FIM policy, create pci-fim-file-open.yaml
fim-policy-file-open.yaml pci-fim-file-open.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-open
spec:
 base-policy: "file-open"
 action: "audit"
 monitor-paths:
  - "/var/log"
  - "/etc/nginx"
 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-fim-file-open
spec:
 base-policy: "file-open"
 action: "audit"
 monitor-paths:
  - "/etc/shadow"
  - "/etc/hosts"
  - "/etc/audit/audit.rules"
  - "/usr/bin/"			
  - "/bin/" 
  - "/etc/hosts.deny"
  - "/etc/passwd"
  - "/etc/audit/rules.d/audit.rules"
  - "/sbin/iptables"
  - "/etc/pam.d/system-auth"
  - "/etc/ssh/sshd_config"
  - "/var/log/auth.log"
  - "/sbin/" 
  - "/etc/audit/auditd.conf" 
  - "/usr/sbin/" 
  - "/usr/local/sbin/"
  - "/etc/hosts.allow"
  - "/etc/group" 
  - "/etc/sudoers"
  - "/var/log/audit/audit.log"
  - "/usr/local/bin/"

 

2. Apply the File Open policy
If you are using FIM Policy,
kubectl apply -f fim-policy-file-open.yaml

OR
If you are using PCI FIM Policy,
kubectl apply -f pci-fim-file-open.yaml

Example 2: Identifying File Read Operations

This operation can be performed only in the FIM environment and not in the PCI FIM environment. 

To identify File read operations using a FIM policy, 

1. Create a YAML file:  fim-policy-file-read.yaml

fim-policy-file-read.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-read
spec:
 base-policy: "file-read"
 action: "audit"
 monitor-paths:
  - "/etc/passwd"
  - "/etc/shadow"

 

2. Apply the File Read policy
kubectl apply -f fim-policy-file-read.yaml

 

Example 3: Identifying File Write Operations

To identify File Write operations using a FIM policy, 

1. Create a YAML file based on your requirement, with the following name.

  • For a FIM policy, create fim-policy-file-write.yaml
  • For a PCI FIM policy, create pci-lightweight-fim-file-write.yaml
fim-policy-file-write.yaml pci-lightweight-fim-file-write.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-write
spec:
 base-policy: "file-write"
 action: "audit"
 monitor-paths:
  - "/var/log"

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-lightweight-fim-file-write
spec:
 base-policy: "file-write"
 action: "audit"
 monitor-paths:
  - "/etc/sudoers"
  - "/etc/ssh/sshd_config"

 

2. Apply the File Write policy.

If you are using FIM Policy,
kubectl apply -f fim-policy-file-write.yaml

OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-write.yaml

 

Example 4: Identifying File Write Diff Operations

To identify File Write Difference operations using a FIM policy, 

1. Create a YAML file based on your requirement, with the following name.

  • For a FIM policy, create fim-policy-file-write-diff.yaml
  • For a PCI FIM policy, create pci-lightweight-fim-file-write.yaml
fim-policy-file-write-diff.yaml pci-lightweight-fim-file-write-diff.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-write-diff
spec:
 base-policy: "file-write-diff"
 action: "audit"
 monitor-paths:
  - "/etc/important-config"
 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-lightweight-fim-file-write-diff
spec:
 base-policy: "file-write-diff"
 action: "audit"
 monitor-paths:
  - "/etc/sudoers"
  - "/etc/ssh/sshd_config"

 

2. Apply the File Write Diff policy.

If you are using FIM Policy,
kubectl apply -f fim-policy-file-write-diff.yaml

OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-write-diff.yaml

 

Example 5: Identifying File Rename Operations

To identify File Rename operations using a FIM policy, 

1. Create a YAML file based on your requirement, with the following name.

  • For a FIM policy, create fim-policy-file-rename.yaml
  • For a PCI FIM policy, create pci-lightweight-fim-file-rename.yaml
fim-policy-file-rename.yaml pci-lightweight-fim-file-rename.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-rename
spec:
 base-policy: "file-rename"
 action: "audit"
 monitor-paths:
  - "/var/log"

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-lightweight-fim-file-rename
spec:
 base-policy: "file-rename"
 action: "audit"
 monitor-paths:
  - "/etc/sudoers"
  - "/etc/ssh/sshd_config"

 

2. Apply the File Rename policy.

If you are using FIM Policy,
kubectl apply -f fim-policy-file-rename.yaml

OR
If you are using PCI FIM Policy,
kubectl apply -f pci-lightweight-fim-file-rename.yaml

 

Example 6: Performing File Delete Operations

To identify File Delete operation using a FIM policy, 

1. Create a YAML file based on your requirement, with the following name.

  • For a FIM policy, create fim-policy-file-delete.yaml
  • For a PCI FIM policy, create pci-fim-file-delete.yaml
fim-policy-file-delete.yaml pci-fim-file-delete.yaml 
apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-file-delete
spec:
 base-policy: "file-delete"
 action: "audit"
 monitor-paths:
  - "/var/www/html"

apiVersion: qualys.com/v1
kind: FimPolicy
metadata:
 name: monitor-fim-file-delete
spec:
 base-policy: "file-delete"
 action: "audit"
 monitor-paths:
  - "/etc/shadow"
  - "/etc/hosts"
  - "/etc/audit/audit.rules"
  - "/usr/bin/"
  - "/bin/"
  - "/etc/hosts.deny"
  - "/etc/passwd"
  - "/etc/audit/rules.d/audit.rules"
  - "/sbin/iptables"
  - "/etc/pam.d/system-auth"
  - "/etc/ssh/sshd_config"
  - "/var/log/auth.log"
  - "/sbin/"
  - "/etc/audit/auditd.conf"
  - "/usr/sbin/"
  - "/usr/local/sbin/"
  - "/etc/hosts.allow"
  - "/etc/group"
  - "/etc/sudoers"
  - "/var/log/audit/audit.log"
  - "/usr/local/bin/"   

 

2. Apply the File Delete policy.

If you are using FIM Policy,
kubectl apply -f fim-policy-file-delete.yaml

OR
If you are using PCI FIM Policy,
kubectl apply -f pci-fim-file-delete.yaml

Viewing FIM Policies

To list all FIM Policy resources, use:
kubectl get policies.qualys.com

To view details of a specific policy, run:
kubectl describe policies.qualys.com <policy-name>
Example
kubectl describe policies.qualys.com monitor-file-open

Deleting a FIM Policy

To delete a FIM  Policy, use:
kubectl delete policies.qualys.com
Example
kubectl delete policies.qualys.com monitor-file-open

Alternatively, you can delete a policy using its YAML manifest:
kubectl delete -f fim-policy-file-open.yaml

 

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: October, 2025