For information about the type of data App Infrastructure Protection (AIP) collects through the AIP Cloud Security Platform, see AIP Cloud Security Platform (CSP) Data Collection.
The AIP Agent only collects security metadata from your environment. Your team controls where Agents are deployed, which Agents to adopt, and the AWS accounts with which to integrate.
The AIP Agent collects and monitors the following data:
|Process Audit Information||Subscribes to public-facing Linux kernel APIs to process starting, stopping, and making network connections. The kernel reports these as 'audit' events, and includes information from Docker and /proc.||AIP is not a kernel module.|
|User Information||Login and command level activity of users. This includes user TTY timelines, file copies, privilege escalations, login failures, etc.|
|File Integrity Monitoring||Utilizing the Linux kernel's inotify and fanotify API, tracks and maps file access, modifications, deletions, or creations back to a process.||If the kernel is not >= 2.6.37, fanotify is not available and we only track generic file events.|
|Vulnerability Assessment||We pull the entire package manifest of all installed software (name and version numbers only) to our platform, which we scan for known vulnerable versions based on our database of CVEs.||For more information, see Vulnerability Assessment Feature.|
AWS Data Collected
AIP also collects information from your Amazon Web Services (AWS) accounts that you integrate with AIP. The AIP AWS integrations are read only policies for a cross account trust with AIP. AIP collects metadata about these resources. Resources are identified and listed by their Amazon Resource Name (ARN).
There are several integration options. When enabled, these collect the following information:
|EC2 Integration||Receives, stores, and visualizes information about various EC2 resources. This includes information on running instances, with or without the AIP Stack Agent installed.|
|CloudTrail||Periodically downloads the full event JSON from the S3 storage bucket.|
|Configuration Auditing (legacy product)||Performs daily or on demand audits of resources within several AWS services, such as: EC2, CloudTrail, IAM, RDS, S3.|
These results and configuration information about these resources is limited to a listing of respective AWS ARN and whether this resource passed or failed a policy evaluation.