System Integrity Monitoring detects each change to an object within the monitoring scope by intercepting file operations in real time.
When System Integrity Monitoring runs, the application monitors changes in the following file settings:
A file checksum is not calculated.
The technical limitations of the Linux operating system prevent the application from identifying the user or process that made the changes to the file.
System Integrity Monitoring is disabled by default. You can enable, disable, and configure System Integrity Monitoring:
You can specify several monitoring scopes. You can change monitoring scopes in real-time mode.
The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope.
An exclusion has a higher priority than a monitoring scope; an excluded object is skipped even if within the monitoring scope. If the monitoring scope is defined on a lower level than the excluded directory, the application skips this monitoring scope during system integrity monitoring.
When a directory is added to a monitoring or exclusion scope, the application does not check whether that directory exists.