On-access File Integrity Monitoring (OAFIM)
Oct 22, 2023
While the OAFIM task is running, each object change is determined through real-time interception of file operations in real-time mode. When an object changes, Kaspersky Endpoint Security sends an event to Kaspersky Security Center Administration Server. A file checksum is not calculated during the task run. The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope. The application monitors operations on specific files or the monitoring scopes specified in the task settings.
Monitoring scopes must be specified for the System Integrity Monitoring task. The administrator can change monitoring scopes in real-time mode. You can specify several monitoring scopes. If no monitoring scope is specified, task settings cannot be saved in the configuration file.
You can create exclusions for the monitoring scope. Exclusions are specified for each individual scope and only work for the indicated monitoring scope. You can specify several monitoring exclusions.
Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.
To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.
When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.
Changes to the following settings are monitored when the System Integrity Monitoring task runs:
- Content (write (), truncate (), etc.)
- Metadata (possession rights (chmod/chown))
- Time stamps (utimensat)
- Extended attributes ((setxattr) and others)
The technical limitations of the Linux operating system prevent the System Integrity Monitoring task from detecting which administrator or process made changes to the file.