FAQ: Exceptions for FIM Create, Delete, and Move Events

The Threat Stack Agent depends on inotify to populate FIM events. Due to inotify limitations, Threat Stack cannot provide information about the user that triggers a FIM Create, Delete, or Move event. Additionally, inotify cannot distinguish between events that inotify triggers and events that other processes trigger. As a result, the Threat Stack Linux Host 1.x and 2.x series Agents will not provide the following information for FIM Create, Delete, or Move events:

  • containerID
  • containerImage
  • containerLabel
  • gid
  • group
  • pid
  • ppid
  • session
  • uid
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request