fanotify and inotify Watch Limitations in Linux Agent 3.2.0

Due to security enhancements for File Integrity Monitoring (FIM) rules added in Linux Agent 3.2.0, F5 Distributed Cloud App Infrastructure Protection (AIP) recommends that you should not exceed 50,000 to avoid high Agent memory use. If needed, you can raise the Agent's memory limits using systemd or Kubernetes.

Distributed Cloud AIP's FIM capabilities use Linux's fanotify and inotify APIs to monitor changes to files. These APIs do not have configurable limits, but you can check the current count of fim.fanotify.watches and fim.inotify.watches with the following command:

sudo tsagent stats

Estimate fanotify and inotify Watches

To estimate the number of fanotify and/or inotify watches in your environment, verify how many files and directories FIM will watch at runtime with the following commands:

Files (for fanotify watches)

  • If recursive: find dir | wc -l
  • If non-recursive: find -1 dir | wc -l

Directories (for inotify watches)

find dir -type d | wc -l

Note

If you have directories as watch targets with recursive setting set to false, the Agent watches all files on that directory.

Was this article helpful?
0 out of 0 found this helpful