Tenable Nova LLC

File Integrity Monitoring (SI-7)

Integration Guide for AIDE, Tripwire, and osquery

SWT3 Protocol v1.3.0 | May 2026 | Patent Pending | Apache 2.0

Control Family

SI-7

NIST 800-171

3.14.6

DISA STIG

V-238400

Supported Tools

1. Overview

NIST 800-53 SI-7 (Software, Firmware, and Information Integrity) requires organizations to employ integrity verification tools to detect unauthorized changes to software, firmware, and information. Axiom automates compliance evidence for SI-7 through two probes:

Probe ID	Name	What It Checks	Pass Condition
`SI-7.1`	File Integrity Tool	Presence of AIDE, Tripwire, or osquery on the system	At least 1 tool detected
`SI-7.2`	Package Verification	Modified system packages via `dpkg --audit`	10 or fewer modified packages

Continuous monitoring: The automated heartbeat workflow validates system integrity every 24 hours and mints an SWT3 Witness Anchor for the result.

2. AIDE Integration

AIDE (Advanced Intrusion Detection Environment) is the recommended FIM tool for Debian/Ubuntu systems. It creates a database of file checksums and detects changes on subsequent scans.

2.1 Installation

# Install AIDE
sudo apt-get install aide aide-common

# Initialize the database (takes 2-5 minutes)
sudo aideinit

# Move the new database into position
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

2.2 Configuration

The default AIDE configuration (/etc/aide/aide.conf) monitors critical system paths. For Axiom integration, ensure these paths are included:

# Critical paths for SI-7 compliance
/etc            p+i+u+g+sha256
/usr/bin        p+i+u+g+sha256
/usr/sbin       p+i+u+g+sha256
/opt/axiom-engine      p+i+u+g+sha256
/var/www        p+i+u+g+sha256

# Exclude volatile paths
!/var/log
!/tmp
!/var/cache
!/opt/axiom-engine/logs

2.3 Scheduled Scans

# /etc/cron.d/aide-axiom
# Run AIDE check daily at 03:00 UTC, feed results to Axiom
0 3 * * * root /usr/bin/aide --check --config=/etc/aide/aide.conf > /opt/axiom-engine/logs/aide-latest.log 2>&1 && /opt/axiom-engine/tools/axiom ingest --type=fim --file=/opt/axiom-engine/logs/aide-latest.log

2.4 Feeding Results to Axiom

# Manual ingestion
axiom ingest --type=fim --file=/opt/axiom-engine/logs/aide-latest.log

# The ingestion command:
# 1. Parses AIDE output for changed/added/removed files
# 2. Mints SI-7.1 PASS anchor (tool is present and running)
# 3. Records change count as factor_b for SI-7.2 evaluation
# 4. Emits OTel span for adjudication

2.5 Baseline Updates

After authorized changes (patching, deployments), update the AIDE baseline:

# After authorized maintenance
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Record the baseline update in the witness ledger
axiom scan --module=si_integrity --provenance

Policy requirement: Per SI-7 policy, baselines must be updated within 72 hours of authorized changes. Failure to update creates false positives that degrade the SI-7.2 verdict.

3. Tripwire Integration

Tripwire provides enterprise-grade FIM with centralized management. Integration follows the same pattern as AIDE.

3.1 Installation

# Install Open Source Tripwire
sudo apt-get install tripwire

# Initialize (interactive - set site and local passphrases)
sudo tripwire --init

3.2 Scheduled Check

# /etc/cron.d/tripwire-axiom
0 3 * * * root /usr/sbin/tripwire --check --quiet > /opt/axiom-engine/logs/tripwire-latest.log 2>&1 && /opt/axiom-engine/tools/axiom ingest --type=fim --file=/opt/axiom-engine/logs/tripwire-latest.log

3.3 Policy Updates

# After authorized changes
sudo tripwire --update --twrfile /var/lib/tripwire/report/latest.twr
sudo tripwire --update-policy /etc/tripwire/twpol.txt

4. osquery Integration

osquery provides real-time FIM through its file_events table. It is the recommended option for environments that already use osquery for endpoint visibility.

4.1 FIM Configuration

// /etc/osquery/osquery.conf (file_paths section)
{
  "file_paths": {
    "critical_binaries": [
      "/usr/bin/%%",
      "/usr/sbin/%%",
      "/opt/axiom-engine/%%"
    ],
    "configuration": [
      "/etc/%%"
    ]
  },
  "file_accesses": ["critical_binaries"],
  "schedule": {
    "fim_check": {
      "query": "SELECT target_path, action, md5, sha256, time FROM file_events WHERE action != 'ATTRIBUTES_MODIFIED';",
      "interval": 3600
    }
  }
}

4.2 Feeding to Axiom

# Query osquery for FIM events and pipe to Axiom
osqueryi --json "SELECT target_path, action, sha256, time FROM file_events WHERE time > ($(date +%s) - 86400);" > /opt/axiom-engine/logs/osquery-fim.json

# Ingest
axiom ingest --type=fim --file=/opt/axiom-engine/logs/osquery-fim.json

5. Automated Heartbeat

The SI-7 heartbeat runs every 24 hours and performs:

Executes SI-7.1 probe (checks for AIDE/Tripwire/osquery presence)
Executes SI-7.2 probe (runs dpkg --audit)
Evaluates verdicts against configured thresholds
Mints SWT3 Witness Anchor for each probe result
Routes FAIL verdicts to notification channel
Updates posture trend data

Zero-touch compliance: Once a FIM tool is installed and the heartbeat is active, SI-7 evidence is generated automatically with no manual intervention required.

6. DISA STIG Reference

STIG ID	Rule	Requirement	Axiom Probe
V-238400	SRG-OS-000480-GPOS-00227	The system must use a file integrity tool configured to use FIPS 140-2/140-3 approved cryptographic hashes	SI-7.1
V-238401	SRG-OS-000363-GPOS-00150	The system must notify the ISSO when integrity violations are discovered	SI-7.1 + heartbeat FAIL route

Expected State

PASS SI-7.1: At least one of aide, tripwire, or osqueryi is found in PATH
PASS SI-7.2: dpkg --audit reports 10 or fewer modified packages

Remediation (if FAIL)

# SI-7.1: Install AIDE (fastest path to compliance)
sudo apt-get install aide aide-common
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# SI-7.2: Fix modified packages
sudo dpkg --audit
sudo apt-get install --reinstall $(dpkg --audit | awk '/^Package/{print $2}')

# Verify fix
axiom scan --module=si_integrity --provenance

7. Troubleshooting

Issue	Cause	Resolution
SI-7.1 FAIL despite AIDE installed	AIDE binary not in system PATH for the probe user	Verify with `which aide`. Symlink to `/usr/bin/aide` if needed.
SI-7.2 shows high count after patching	AIDE baseline not updated after authorized changes	Run `sudo aide --update` and copy new database
osquery `file_events` empty	inotify watches exhausted or FIM not configured	Check `sysctl fs.inotify.max_user_watches` (increase to 524288), verify `file_paths` in osquery.conf
Heartbeat not firing	Adjudication workflow inactive or webhook deregistered after restart	Check the adjudication pipeline status, verify the heartbeat workflow is active and the cron trigger is configured
`axiom ingest` rejects FIM log	Log format not recognized	Use `--type=fim` flag explicitly. Supported: AIDE text output, Tripwire report, osquery JSON.
False positives from `/var/cache`	Volatile paths included in AIDE/Tripwire rules	Add exclusions for `/var/cache`, `/var/log`, `/tmp` in config

TeNova Axiom Sovereign Engine | SWT3 Protocol v1.3.0 | Patent Pending

CUI | SI-7 File Integrity Monitoring