System Integrity Monitoring task (System_Integrity_Monitoring, ID:11)

The System Integrity Monitoring task is designed to track actions performed on files and directories in the monitoring scope specified in the task settings. You can use the task to find file changes that may indicate a security breach on a protected server.

To use the task, a license that includes the corresponding function is required.

System Integrity Monitoring can be performed in real-time when you run the On-access File Integrity Monitoring (OAFIM) task. You can also create and run On-demand File Integrity Monitoring (ODFIM) tasks.

Both OAFIM and ODFIM tasks send notifications about changes to an object access control list. For the OAFIM task, details about what exactly was changed are not reported. For the ODFIM task, information about attribute changes and file/directory moves are reported.

In this Help section

On-access File Integrity Monitoring (OAFIM)

On-demand File Integrity Monitoring (ODFIM)

On-access File Integrity Monitoring task settings

On-demand File Integrity Monitoring settings

Page top

On-access File Integrity Monitoring (OAFIM)

While the OAFIM task is running, each object change is determined through real-time interception of file operations in real-time mode. When an object changes, Kaspersky Embedded Systems Security sends an event to Kaspersky Security Center Administration Server. A file checksum is not calculated during the task run. The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope. The application monitors operations on specific files or the monitoring scopes specified in the task settings.

Monitoring scopes

Monitoring scopes must be specified for the System Integrity Monitoring task. The administrator can change monitoring scopes in real-time mode. You can specify several monitoring scopes. If no monitoring scope is specified, task settings cannot be saved in the configuration file.

Monitoring exclusions

You can create exclusions for the monitoring scope. Exclusions are specified for each individual scope and only work for the indicated monitoring scope. You can specify several monitoring exclusions.

Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.

To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.

When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.

Monitored settings

Changes to the following settings are monitored when the System Integrity Monitoring task runs:

Content (write (), truncate (), etc.)
Metadata (possession rights (chmod/chown))
Time stamps (utimensat)
Extended attributes ((setxattr) and others)

The technical limitations of the Linux operating system prevent the System Integrity Monitoring task from detecting which administrator or process made changes to the file.

Page top

On-demand File Integrity Monitoring (ODFIM)

While the ODFIM task is running, each object change is determined by comparing the current state of the monitored object to its original state, which was previously established as a baseline.

The baseline is created during the first run of the ODFIM task on the device. You can create several ODFIM tasks. For each ODFIM task, a separate baseline is created. The task is performed only if the baseline corresponds to the monitoring scope. If the baseline does not match the monitoring scope, Kaspersky Embedded Systems Security creates a system integrity violation event. The baseline contains paths to monitored objects and their metadata. The baseline may also contain personal data.

The baseline is rebuilt after an ODFIM task has finished. You can rebuild a baseline for the task using the RebuildBaseline setting. Also, a baseline is rebuilt when the settings of a task change, for example, if a new monitoring scope is added. The baseline will be rebuilt during the next task run. You can delete a baseline by deleting the corresponding ODFIM task.

The ODFIM task creates a baseline storage on the device that has the System Integrity Monitoring component installed. By default, the storage for baselines is located in /var/opt/kaspersky/kess/private/fim.db. Root privileges are required to access a database that contains baselines.

Page top

On-access File Integrity Monitoring task settings

The table describes all available values and default values of all the settings that you can specify for the On-access File Integrity Monitoring task.

On-access File Integrity Monitoring task settings

Setting	Description	Values

`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeThreats.item_#` setting. This setting only applies if a value is specified for the `ExcludeMasks.item_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope.
`ExcludeMasks.item_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kess/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Page top

On-demand File Integrity Monitoring settings

The table describes all available values and default values of all the settings that you can specify for the On-demand File Integrity Monitoring task.

On-demand File Integrity Monitoring settings

Setting	Description	Values

`RebuildBaseline`	Enables rebuilding a baseline after the ODFIM task has finished.	`Yes` — Rebuild a baseline after the ODFIM task has finished. `No` (default value) — Do not rebuild a baseline after the ODFIM task has finished.
`CheckFileHash`	Enables hash check (SHA-256).	`Yes` — Enable hash check. `No` (default value) — Disable hash check.
`TrackDirectoryChanges`	Enables directory monitoring.	`Yes` — Monitor directories. `No` (default value) — Do not monitor directories.
`TrackLastAccessTime`	Enables tracking last file access time. In the Linux operating systems it is the `noatime` setting.	`Yes` — Track last file access time. `No` (default value) — Do not track last file access time.
`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeMasks_#` setting. This setting only applies if a value is specified for the `ExcludeMasks_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope.
`ExcludeMasks_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kess/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Page top

Contents

System Integrity Monitoring task (System_Integrity_Monitoring, ID:11)

On-access File Integrity Monitoring (OAFIM)

On-demand File Integrity Monitoring (ODFIM)

On-access File Integrity Monitoring task settings

On-demand File Integrity Monitoring settings