File Integrity Monitoring (FIM) for Linux
You can configure File Integrity Monitoring (FIM) for your supported Linux machines.
To configure FIM in Linux:
- Check the requirements.
- Configure auditd compatibility mode for your assets.
- Change audit.rules.
- Review Linux Monitoring Recommendations.
FIM restrictions and the specific extensions that are monitored are listed in the Windows documentation.
Requirements for Linux
Before configuring this feature, make sure that your Linux operating system meets the system requirements for the Insight Agent. FIM for Linux is verified to run on these operating systems:
- Ubuntu version 18.04
- SLED version 12
- Red Hat Enterprise Linux 6,7
Other operating systems and versions are not guaranteed to support this feature.
FIM for Linux only monitors for create
, write
, and delete
activities on your Linux machines.
Configure auditd Compatibility Mode
Before you can start File Integrity Monitoring for Linux, you must configure auditd
compatibility mode with slight modifications. This documentation covers auditd compatibility mode for your Linux assets.
This allows InsightIDR to monitor specific file paths from your Linux machine. You will not be able to configure File Integrity Monitoring without it.
Change audit.rules
Before changing this file, refer to the documentation for your chosen Linux distribution regarding where to place the audit.rules
file.
At the end of the audit.rules
file, you have the option to add additional rules as necessary. You must add rules to record activities from the permitted directory paths.
For example, the following example format lists the directories and subdirectories you could monitor with FIM for Linux:
1-w /usr/bin -p w2-w /etc/group -p w3-w /etc/passwd -p w4-w /etc/sudoers -p w
Caution: /bin directory monitoring
On many Linux distros, /bin
is actually an alias of /usr/bin
. In this case, set your audit rule to monitor /usr/bin
.
These options are defined as follows:
-w
- Inserts a watch on the path or file specified
-p
- Describes the permission access for this path or file watch
The permissions options are:
r
= readw
= writex
= executea
= attribute change (such as user or user group permission changes)
FIM for Linux will monitor for w
(write) activities only. The Insight platform will ignore all other permission access (r
|x
|a
) types.
If you choose to monitor all permission options (-p rwxa
), the auditd
output file (audit.log
) will capture all available kernel generated events.
Example Configuration
This is a functional example of an audit.rules
file:
1# This file contains the auditctl rules that are loaded2# whenever the audit daemon is started via the initscripts.3# The rules are simply the parameters that would be passed4# to auditctl.56# First rule - delete all7-D89# Increase the buffers to survive stress events.10# Make this bigger for busy systems11-b 81921213# DO NOT BLOCK THE FOLLOWING EVENTS14# USER_AUTH15# USER_START16# USER_END17# USER_LOGIN18# USER_LOGOUT19# ADD_USER20# DEL_USER21# ADD_GROUP22# DEL_GROUP23# SERVICE_START24# SERVICE_STOP25# SYSCALL26# EXECVE2728# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems29-a always,exit -F arch=b64 -S execve -F key=execve3031# Feel free to add additional rules below this line. See auditctl man page32# (for InsightIDR FIM): watch for write events from the following directories33-w /usr/bin -p w34-w /etc/group -p w35-w /etc/passwd -p w36-w /etc/sudoers -p w
Linux Monitoring Recommendations
The intent of FIM is to track and audit file modifications solely on critical business directories on critical systems only.
InsightIDR allows you to monitor the following directories on your Linux machines:
- /bin
- /boot
- /etc
- /sbin
- /usr/bin
- /usr/local/bin
- /usr/local/sbin
- /usr/sbin
- /usr/share/keyrings
- /var/spool/cron
Caution: /bin directory monitoring
On many Linux distros, /bin
is actually an alias of /usr/bin
. In this case, please set your audit rule to monitor /usr/bin
.
You may choose to monitor on a more granular basis (such as sub-directories) than the directories list.
InsightIDR ignores any other directory paths you configure for monitoring. However, you can request that certain paths be added to an allowlist if you determine that they are necessary for your organization.
To add an extension to an allowlist, contact Rapid7 Support.