InsightIDR | FIM | Linux Assets

nowel · October 26, 2021, 2:10am

Hi Guys,

If I may, I just want to have your inputs on the reference documentation here: File Integrity Monitoring for Linux | InsightIDR Documentation)

It is clearly stated that ONLY “write” events are monitored if I do the modification on the audit.rules.
Now if i want to monitor all events (rwxa) then does it mean i dont need to do the modification at all?
Or I still need to put it in, in the audit.rules the declaration would be like → -w /bin -p wrxa?

Am thinking that if I need to monitor all events then instead of doing the modification which only monitors the “write” events, might as well just read everything in the audit.log file thru the agent.
Reference: Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation

Am not just sure if it is essential that I declared everything (files specific) in the audit.rules to get my File Monitong

Best Regards,

david_smith · October 26, 2021, 5:45pm

Hi,

you are on the right track here, the FIM functionality will only monitor changes, and as stated its possible to log other activity but it will not be processed as FIM activity by the native FIM functionality.

Configuring the logging.json to tail the audit.log with the additional audit logging enabled would be a way to monitor all access activity if you so wish.

David

nowel · October 27, 2021, 9:34am

Hi David,

Thanks for the input!