Create a File Integrity Rule
A file integrity rule alerts you to changes to critical files on your system. You can configure File Integrity Monitoring (FIM) in the F5 Distributed Cloud App Infrastructure Protection (AIP) Rules tab. For additional information about FIM, see File Integrity Monitoring (FIM) Overview.
Note
With the release of the Linux Agent 2.2, File Integrity Monitoring (FIM) has been refactored in Go. It still uses the same underlying filesystem APIs, fanotify and inotify. FIM is now enabled by default, and configuring FIM enables Distributed Cloud AIP to monitor user access to specific file paths designated in Distributed Cloud AIP. See the Linux Agent Release Changelog for additional information on FIM enhancements in the 2.2 Agent.
- Navigate to the Rules tab and select a ruleset from the list.
- Click the + New Rule button.
Note
You can create a rule in any ruleset to suit your organization's needs. In this example, the new rule is added to the Base Rule Set.
- The Add Host Rule dialog displays.
- Select File Integrity Rule from the list and click Next: Details to proceed.
- The Add File Rule dialog displays. You will be able to specify the file rule details.
- Severity of alerts: There are three levels of behaviors to indicate the severity of an alert.
- Severity 1 alerts are the highest elevation of behaviors.
- Severity 2 alerts are the second highest elevation of behaviors.
- Severity 3 alerts are the third highest elevation of behaviors.
- Rule Name (Required): It indicates the name of the ruleset.
- Alert Title (Required): It indicates the name and substitutions (dynamic content) which add context to the alert.
- Alert Description: It indicates a brief summary of the alert.
- Aggregate Fields: It helps define the uniqueness of an alert. Please review the Rule Aggregation article for additional information about aggregate options.
- Trigger an alert if an event matching this rule occurs at least: It indicates the frequency for generating an alert. You can specify how often to display an alert within a certain time frame. For additional information, see Life Cycle of an Alert.
- Severity of alerts: There are three levels of behaviors to indicate the severity of an alert.
- After making your selection, click Next: File Paths.
- The File Rule Paths pane displays. You can specify file paths to monitor.
Notes
- Enabling recursive monitoring for a specific file path allows Distributed Cloud AIP to monitor changes in that directory and all of its subdirectories.
- If you include a backslash (\) character in a FIM rule, then performance issues may occur. Do not include the backslash (\) character in your FIM rules.
Tip
If you have integrated your Amazon Web Services (AWS) account into Distributed Cloud AIP, the Deployment Options pane appears next. You can specify AWS EC2 tags for this rule and automatically assign the rule to all associated hosts. For additional information, see AWS EC2 Tags.
However, if you do not see the Deployment interface, then your Distributed Cloud AIP AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.
- After specifying a file path and FIM events to monitor, click Create Rule.
- The rule creates and displays on the Rules page.
The Distributed Cloud AIP Agent depends on inotify to populate FIM events. Due to inotify limitations, Distributed Cloud AIP cannot provide information about the user that triggers a FIM Create, Delete, or Move event. Additionally, inotify cannot distinguish between events that inotify triggers and events that other processes trigger. As a result, the Distributed Cloud AIP Linux Host Agent will not provide the following information for FIM Create, Delete, or Move events:
- containerID
- containerImage
- containerLabel
- gid
- group
- pid
- ppid
- session
- uid