Linux - File Integrity Monitoring Issues (FIM) 

1. Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent)

2. Check whether the agent service responds to the start and stop commands:

1. To start: service auditd start

1. Executing ps aux | grep EventLogAnalyzerFIMAgent in terminal should display: /opt/ManageEngine/EventLogAnalyzer_Agent/bin/EventLogAnalyzerFIMAgent

2. To stop the service: service auditd stop

3. Execute auditctl -l |grep ELA_FIM and check whether the files that are to be monitored are displayed.

4. Execute getenforce and ensure that SELinux is in either Permissive or Disabled mode.

1. Steps to change "Enforced" to "Permissive":

1. Temporary: setEnforce Permissive

2. Permanent:

1. Navigate to /etc/selinux/config

2. Ensure "SELINUX=permissive" is provided.

3. Restart Linux server

5. Ensure these lines should not be in /etc/audit/audit.rules

1. -a never,task (Reason: Syscall block rule)

2. -e 2  (Reason: Immutable rule)

6. In SUSE, open /etc/sysconfig/auditd and ensure AUDITD_DISABLE_CONTEXTS = no

If the above doesn't help, please send us the below details for analysis.

1. Agent OS details (command: uname -a)

2. Exact OS name (command: cat /etc/redhat-release)

3. Audit version (command: auditctl -v)

4. Create a sample CREATE.MODIFY,DELETE,RENAME and PERMISSIONCHANGE event, execute ausearch -i > aureport_fileevents.txt and collect the generated file.

5. Rules of audit. (location: /etc/audit/audit.rules)