File integrity monitoring (FIM) is a security control that verifies whether critical system files, configuration members and datasets remain unchanged. FIM does this by creating a trusted baseline of each file (often using cryptographic checksums, such as hash values) and then comparing the baseline with the current state to detect tampering.
According to SolarWinds, FIM tools monitor sensitive files, registry keys, and directories, to create a baseline using cryptographic hashes and store metadata, such as file size, privileges, and owners. Any deviation from the baseline causes an alert.
FIM solutions allow scheduled or on‑demand scans and can be integrated with security information and event management (SIEM) tools to provide a double layer of protection. They are widely used in open‑system platforms, but only recently have mainframe‑specific solutions become available.
Why FIM Matters on Mainframe
Mainframe systems process vast amounts of the world’s financial and personal data, making them attractive targets for malware and ransomware. Despite the platform’s strong security controls, attackers who obtain legitimate credentials can modify configuration members or implant backdoors during data decryption.
Because mainframes were historically isolated, FIM adoption was low, but as integration with distributed systems has increased, vulnerability has grown. Sophisticated attacks progress very quickly; human reaction time is a limiting factor, so automated processes like intrusion‑detection systems and Security Orchestration, Automation, and Response (SOAR) platforms are essential for detecting and halting malicious activity within seconds. Without real‑time detection, ransomware can encrypt data or exfiltrate sensitive information before support staff have time to intervene.
Compliance Drivers
Mainframe platforms hold highly sensitive data for finance, healthcare, government, and other industries, yet many organizations have not implemented FIM.
Regulatory frameworks require such monitoring: PCI DSS requirement 11.5 calls for a change‑detection mechanism (e.g., file‑integrity monitoring tools) to detect unauthorized modification of critical files, and section 10.5.5 requires FIM on logs.
Some auditors often overlook mainframes despite these requirements, and organizations sometimes claim compliance without running a FIM solution.
Beyond PCI, regulations such as General Data Protection Regulation (GDPR), Sarbanes–Oxley Act of 2002 (SOX), North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP), Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA) also require FIM. FIM is a key component of modern cyber‑resiliency and zero‑trust architectures.
Key capabilities of effective mainframe FIM solutions:
|
Capability
|
Explanation
|
|
Baseline creation and change detection
|
FIM software takes a baseline snapshot of trusted files and stores it securely in a vault; at user‑defined intervals or in real time, it compares the current version against the baseline and alerts on differences.
|
|
Broad scope of monitoring
|
Effective FIM covers executable programs, JCL, scripts, configuration members, log files (e.g., SMF, Db2, IMS) and other data stores. It should also monitor access control files and key system configurations because tampering may signal an active breach.
|
|
Real‑time alerts and rapid response
|
FIM should generate alerts within seconds and integrate with enterprise security frameworks, such as a RACF, ACF2, or TSS ,and SIEMs. Automated detection systems using artificial intelligence‑driven monitoring can isolate affected systems and halt malicious activity in seconds.
|
|
Integration with enterprise tools
|
To avoid siloed alerts, FIM must integrate with SIEM platforms and other monitoring tools so that file‑audit events can be correlated with network and user activity. For mainframe environments, integration with RACF, ACF2, or TSS allows FIM alerts to trigger built‑in responses.
|
|
False‑positive minimization and learning
|
Modern FIM solutions should differentiate between approved changes (e.g., deployment processes) and malicious modifications, minimizing false positives. Some early mainframe attempts were abandoned due to administrative effort and false positives but learning systems and improved hashing capabilities have solved these problems.
|
|
Forensics and recovery support
|
After detecting an unauthorized change, FIM should identify what changed, when and by whom, and guide recovery by automatically backing out malicious alterations.1 Advanced solutions provide browser‑based forensics, maintain an immutable history of file versions, and help restore affected software components so that data and code recover together.
|
|
Compliance reporting
|
Built‑in audit functions allow internal or external auditors to verify file integrity and demonstrate compliance with PCI DSS, NIST CSFv, Digital Operational Resilience Act (DORA), and other standards.2 Real‑time logs and on‑demand reports provide proof that critical files remained unaltered.3
|
|
Scalability and ease of use
|
Effective FIM must operate efficiently on large transaction volumes without requiring deep expertise. Modern solutions provide browser‑based interfaces and minimal configuration overhead
|
Best‑practice considerations for deploying FIM on mainframes:
- Understand your critical assets. Identify which datasets, configuration members, executables, and logs constitute critical infrastructure.
- Establish a trusted baseline. Use a clean system state (e.g., post‑maintenance window) to generate cryptographic hashes and metadata. Securely store this baseline and update it through approved change‑control processes.
- Scan regularly and in real time. Schedule periodic scans and enable continuous monitoring on high‑risk datasets. Real‑time alerts are essential to intercept malware before it can encrypt or exfiltrate data.
- Integrate with SIEM and incident response workflows. Combine FIM data with access logs and network events to get a holistic view of suspicious behavior. Use automated workflows to suspend user IDs, suspend offending processes, and initiate recovery.
- Address human factors. Provide dashboards and simple interfaces so that operators can review alerts without specialized knowledge. Train support staff to interpret FIM alerts and coordinate with security teams.
- Complement FIM with other controls. FIM should be part of a multi‑layered strategy: behavioral anomaly analysis, strict access controls, encryption, vulnerability assessments, and regular patching. FIM detects unauthorized file changes, but behavioral analytics catch insider misuse, and encryption safeguards data at rest and in transit.
- Validate backups and recovery plans. Advanced FIM tools can verify that backups are free of unauthorized changes, ensuring that you can restore clean systems after an incident. Combine FIM with immutable backups and recovery runbooks.
Mainframe FIM Solutions:
1. IBM zSecure
- How it works: Part of IBM Security zSecure suite, compares checksums (anti‑tamper digests or fingerprints) of critical data sets using baseline (
CKFREEZE) and current files. Detects tampering with dataset contents and metadata (like names, PDS directory, ISPF stats).
- Strengths: Robust checksum-based verification.
- Limitations: Primarily integrity verification/reporting—not real-time; limited forensic or SIEM integration.
2. MainTegrity CSF
- How it works: Uses secure baselines for components/app groups. Stored in an encrypted vault, compared during on-demand, scheduled, or random scans. Integrates with deployment tooling (e.g., ServiceNow) to reduce false positives.
- Strengths: Tailored to mainframe needs—real-time detection, forensic detailing, integration with SIEMs, rapid remediation. Surgical recovery of compromised components from the most relevant backup.
- Limitations: Commercial tool; complexity and cost depend on deployment footprint.
There are other solutions on the market that provide some partial functionality in this area, and they are:
FIM has become an essential component of mainframe cyber security. It provides early detection of unauthorized file changes that could signal malware or insider threats and is required by many regulatory frameworks. Relying on system logs, such as SMF, is no longer adequate as they could be disabled by any would be attacker.
Modern FIM solutions for z/OS create cryptographic baselines, monitor a wide range of datasets in real time, integrate with enterprise security tools, and automate response to minimize damage. Organizations should adopt FIM as part of a holistic security program that includes behavioral analytics, strong access controls, encryption, and continuous vulnerability assessments. By doing so, they can maintain regulatory compliance, improve cyber resilience, and ensure that their mainframes remain trusted engines for critical business operations.
Sources:
- https://www.itech-ed.com/blog717.htm#:~:text=What%20is%20file,do%20all%20this%20very%20quickly
- https://planetmainframe.com/2018/07/validating-your-files/#:~:text=compliance%20with%20regulations,on%20all%20platforms%2C%20including%20mainframes
- https://planetmainframe.com/2018/07/validating-your-files/#:~:text=To%20comply%20with%20these%20regulations%2C,demand%20audit%20function
Author Bio:
Mark Wilson is a globally recognized thought leader and international speaker in mainframe security and technology, as well as a passionate advocate for all things Z. He serves as the chief editor and producer of Cheryl Watson's Tuning Letter and is the technical director at Vertali. He has more than 40 years’ experience across numerous industries and diverse mainframe environments. Mark is also region manager for GS UK and has been awarded IBM Champion status for the last five years. For more information email: info@vertali.com