File Integrity Monitoring for Linux
You can configure File Integrity Monitoring for your supported Linux machines. Before configuring this feature, make sure that your Linux operating system meets the system requirements for the Insight Agent. FIM for Linux is verified to run on these operating systems:
- Ubuntu version 18.04
- SLED version 12
Other operating systems and versions are not guaranteed to support this feature.
FIM for Linux only monitors for
delete activities on your Linux machines.
In order for InsightIDR to monitor specific file paths from your Linux machine, you must configure
auditd compatibility mode with slight modifications.
To configure FIM for Linux, you must:
- Configure auditd compatibility mode for your assets.
- Change audit.rules.
- Review Linux Monitoring Recommendations.
Configure auditd Compatibility Mode
Before you can start File Integrity Monitoring for Linux, you must configure auditd compatibility mode for your Linux assets. You will not be able to configure File Integrity Monitoring without it.
Before changing this file, refer to the documentation for your chosen Linux distribution regarding where to place the
At the end of the
audit.rules file, you have the option to add additional rules as necessary. You must add rules to record activities from the permitted directory paths.
For example, the following example format lists the directories and subdirectories you could monitor with FIM for Linux:
1-w /bin -p w2-w /etc/group -p w3-w /etc/passwd -p w4-w /etc/sudoers -p w
These options are defined as follows:
-w - Inserts a watch on the path or file specified
-p - Describes the permission access for this path or file watch
The permissions options are:
a= attribute change (such as user or user group permission changes)
FIM for Linux will monitor for
w (write) activities only. The Insight platform will ignore all other permission access (
If you choose to monitor all permission options (
-p rwxa), the
auditd output file (
audit.log) will capture all available kernel generated events.
This is a functional example of an
1# This file contains the auditctl rules that are loaded2# whenever the audit daemon is started via the initscripts.3# The rules are simply the parameters that would be passed4# to auditctl.56# First rule - delete all7-D89# Increase the buffers to survive stress events.10# Make this bigger for busy systems11-b 81921213# DO NOT BLOCK THE FOLLOWING EVENTS14# USER_AUTH15# USER_START16# USER_END17# USER_LOGIN18# USER_LOGOUT19# ADD_USER20# DEL_USER21# ADD_GROUP22# DEL_GROUP23# SERVICE_START24# SERVICE_STOP25# SYSCALL26# EXECVE2728# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems29-a always,exit -F arch=b64 -S execve -F key=execve3031# Feel free to add additional rules below this line. See auditctl man page32# (for InsightIDR FIM): watch for write events from the following directories33-w /bin -p w34-w /etc/group -p w35-w /etc/passwd -p w36-w /etc/sudoers -p w
Linux Monitoring Recommendations
The intent of FIM is to track and audit file modifications solely on critical business directories on critical systems only.
InsightIDR allows you to monitor the following directories on your Linux machines:
You may choose to monitor on a more granular basis (such as sub-directories) than the directories list.
InsightIDR will “ignore” any other directory paths you configure for monitoring. However, you can request that certain paths are whitelisted if you determine that they are necessary for your organization.
To request an extension whitelist, contact Rapid7 Support.