Linux - File Integrity Monitoring Issues (FIM)
Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent)
Check whether the agent service responds to the start and stop commands:
To start: service auditd start
Executing ps aux | grep EventLogAnalyzerFIMAgent in terminal should display: /opt/ManageEngine/EventLogAnalyzer_Agent/bin/EventLogAnalyzerFIMAgent
To stop the service: service auditd stop
Execute auditctl -l |grep ELA_FIM and check whether the files that are to be monitored are displayed.
Execute getenforce and ensure that SELinux is in either Permissive or Disabled mode.
Steps to change "Enforced" to "Permissive":
Temporary: setEnforce Permissive
Permanent:
Navigate to /etc/selinux/config
Ensure "SELINUX=permissive" is provided.
Restart Linux server
Ensure these lines should not be in /etc/audit/audit.rules
-a never,task (Reason: Syscall block rule)
-e 2 (Reason: Immutable rule)
In SUSE, open /etc/sysconfig/auditd and ensure AUDITD_DISABLE_CONTEXTS = no
If the above doesn't help, please send us the below details for analysis.
Agent OS details (command: uname -a)
Exact OS name (command: cat /etc/redhat-release)
Audit version (command: auditctl -v)
Create a sample CREATE.MODIFY,DELETE,RENAME and PERMISSIONCHANGE event, execute ausearch -i > aureport_fileevents.txt and collect the generated file.
Rules of audit. (location: /etc/audit/audit.rules)