While the OAFIM task is running, each object change is determined through real-time interception of file operations in real-time mode. When an object changes, Kaspersky Industrial CyberSecurity for Linux Nodes sends an event to the Kaspersky Security Center Administration Server. A file checksum is not calculated during the task run. The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope. The application monitors operations on specific files or the monitoring scopes specified in the task settings.
Monitoring scopes
Monitoring scopes must be specified for the System Integrity Monitoring task. The administrator can change monitoring scopes in real-time mode. You can specify several monitoring scopes. If no monitoring scope is specified, task settings cannot be saved in the configuration file.
Monitoring exclusions
You can create exclusions for the monitoring scope. Exclusions are specified for each individual scope and only work for the indicated monitoring scope. You can specify several monitoring exclusions.
Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.
To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.
When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.
Monitored settings
Changes to the following settings are monitored when the System Integrity Monitoring task runs:
The technical limitations of the Linux operating system prevent the System Integrity Monitoring task from detecting which administrator or process made changes to the file.
Page top