Support

Support for business applications

Kaspersky Endpoint Security 10 for Linux ARM Edition

File Integrity Monitoring task (Integrity_Monitoring ID:11)

On-access File Integrity Monitoring (OAFIM)

Kaspersky Endpoint Security 10 for Linux ARM Edition
Knowledge Base Online Help
FAQ System requirements Forum Contact support Recovery tools Product videos

On-access File Integrity Monitoring (OAFIM)

January 20, 2022

ID 161948

While the OAFIM task is running, each object change is determined through real-time interception of file operations in real-time mode. When an object changes, Kaspersky Endpoint Security sends an event to the Kaspersky Security Center administration server. A file checksum is not calculated during the task run. The OAFIM task does not monitor changes in file if it was modified by accessing it via hard links, that are not located in a monitoring scope.

Kaspersky Endpoint Security monitors file operations on specific files or in scopes specified in the parameters of the task.

Monitoring scopes

Monitoring scopes for File Integrity Monitoring tasks must always be specified. The administrator can change scanning and monitoring scopes in real-time mode. If no monitoring scope is specified, task settings cannot be saved in the configuration file. When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.

You can specify several monitoring scopes.

Monitoring exclusion scopes

You can create exclusions for the monitoring scope. Exclusions are specified for individual scopes, and work only for the indicated monitoring scope. You can specify several exclusion scopes.

Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.

To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.

Monitored parameters

Changes to the following parameters are monitored during the File Integrity Monitoring task run:

  • Content (write (), truncate (), etc.)
  • Metadata (possession rights (chmod / chown))
  • Time stamps (utimensat)
  • Extended attributes ((setxattr) and others)

The technical limitations of the Linux operating system prevent the File Integrity Monitoring component from detecting which administrator or process has made a change to a file.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.