File Integrity Monitoring (FIM) for Linux

You can configure File Integrity Monitoring (FIM) for your supported Linux machines.

To configure FIM in Linux:

FIM restrictions and the specific extensions that are monitored are listed in the Windows documentation.

Requirements for Linux

Before configuring this feature, make sure that your Linux operating system meets the system requirements for the Insight Agent. FIM for Linux is verified to run on these operating systems:

  • Ubuntu version 18.04
  • SLED version 12
  • Red Hat Enterprise Linux 6,7

Other operating systems and versions are not guaranteed to support this feature.

FIM for Linux only monitors for create, write, and delete activities on your Linux machines.

Configure auditd Compatibility Mode

Before you can start File Integrity Monitoring for Linux, you must configure auditd compatibility mode with slight modifications. This documentation covers auditd compatibility mode for your Linux assets.

This allows InsightIDR to monitor specific file paths from your Linux machine. You will not be able to configure File Integrity Monitoring without it.

Change audit.rules

Before changing this file, refer to the documentation for your chosen Linux distribution regarding where to place the audit.rules file.

At the end of the audit.rules file, you have the option to add additional rules as necessary. You must add rules to record activities from the permitted directory paths.

For example, the following example format lists the directories and subdirectories you could monitor with FIM for Linux:

1
-w /usr/bin -p w
2
-w /etc/group -p w
3
-w /etc/passwd -p w
4
-w /etc/sudoers -p w

Caution: /bin directory monitoring

On many Linux distros, /bin is actually an alias of /usr/bin. In this case, set your audit rule to monitor /usr/bin.

These options are defined as follows:

-w - Inserts a watch on the path or file specified -p - Describes the permission access for this path or file watch

The permissions options are:

  • r = read
  • w = write
  • x = execute
  • a = attribute change (such as user or user group permission changes)

FIM for Linux will monitor for w (write) activities only. The Insight platform will ignore all other permission access (r|x|a) types.

If you choose to monitor all permission options (-p rwxa), the auditd output file (audit.log) will capture all available kernel generated events.

Example Configuration

This is a functional example of an audit.rules file:

1
# This file contains the auditctl rules that are loaded
2
# whenever the audit daemon is started via the initscripts.
3
# The rules are simply the parameters that would be passed
4
# to auditctl.
5
6
# First rule - delete all
7
-D
8
9
# Increase the buffers to survive stress events.
10
# Make this bigger for busy systems
11
-b 8192
12
13
# DO NOT BLOCK THE FOLLOWING EVENTS
14
# USER_AUTH
15
# USER_START
16
# USER_END
17
# USER_LOGIN
18
# USER_LOGOUT
19
# ADD_USER
20
# DEL_USER
21
# ADD_GROUP
22
# DEL_GROUP
23
# SERVICE_START
24
# SERVICE_STOP
25
# SYSCALL
26
# EXECVE
27
28
# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
29
-a always,exit -F arch=b64 -S execve -F key=execve
30
31
# Feel free to add additional rules below this line. See auditctl man page
32
# (for InsightIDR FIM): watch for write events from the following directories
33
-w /usr/bin -p w
34
-w /etc/group -p w
35
-w /etc/passwd -p w
36
-w /etc/sudoers -p w

Linux Monitoring Recommendations

The intent of FIM is to track and audit file modifications solely on critical business directories on critical systems only.

InsightIDR allows you to monitor the following directories on your Linux machines:

  • /bin
  • /boot
  • /etc
  • /sbin
  • /usr/bin
  • /usr/local/bin
  • /usr/local/sbin
  • /usr/sbin
  • /usr/share/keyrings
  • /var/spool/cron

Caution: /bin directory monitoring

On many Linux distros, /bin is actually an alias of /usr/bin. In this case, please set your audit rule to monitor /usr/bin.

You may choose to monitor on a more granular basis (such as sub-directories) than the directories list.

InsightIDR ignores any other directory paths you configure for monitoring. However, you can request that certain paths be added to an allowlist if you determine that they are necessary for your organization.

To add an extension to an allowlist, contact Rapid7 Support.