Real-time System Integrity Monitoring
System Integrity Monitoring detects each change to an object within the monitoring scope by intercepting file operations in real time.
When System Integrity Monitoring runs, the application monitors changes in the following file settings:
- Content (write (), truncate (), etc.)
- Metadata (possession rights (chmod/chown))
- Time stamps (utimensat)
- Extended attributes ((setxattr) and others)
A file checksum is not calculated.
The technical limitations of the Linux operating system prevent the application from identifying the user or process that made the changes to the file.
System Integrity Monitoring is disabled by default. You can enable, disable, and configure System Integrity Monitoring:
- Define monitoring scopes for System Integrity Monitoring The application monitors operations on files within the monitoring scopes defined in the System Integrity Monitoring settings. You have to specify at least one monitoring scope for the component to work. The Kaspersky internal objects (/opt/kaspersky/kesl/) monitoring scope is defined by default.
You can specify several monitoring scopes. You can change monitoring scopes in real-time mode.
The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope.
- You can configure exclusion of objects from monitoring with the help of name masks.
- Set up exclusion scopes for System Integrity Monitoring. Exclusions are defined for each individual monitoring scope and only work for the indicated scope. You can specify several monitoring exclusions.
An exclusion has a higher priority than a monitoring scope; an excluded object is skipped even if within the monitoring scope. If the monitoring scope is defined on a lower level than the excluded directory, the application skips this monitoring scope during system integrity monitoring.
When a directory is added to a monitoring or exclusion scope, the application does not check whether that directory exists.
