Views:
File integrity monitoring detects file changes to critical areas of containers by comparing their current state to a pre-established baseline. It scans files for unexpected changes and logs an event if a deviation is found, providing visibility into potential security threats.
File integrity monitor rules enables the scan engine to determine which folders to monitor and which file names to exclude. You can use Trend-manged rules, which are predefined, or create your own custom rules to better suite your environment.
You can enable file integrity monitoring when you add a new cluster in Container Security or you can upgrade Helm chart for existing clusters by adding the following to the overrides.yaml file: 
    fileIntegrityMonitoring:
        enabled: true
After file integrity monitoring is enabled and rules are added to a policy, you can view events in Cloud SecurityContainer SecurityLogFile Integrity Monitoring when file changes occur.

Create custom, user-managed rules

  1. Go to Cloud SecurityContainer SecurityConfiguration.
  2. Click Object management and go to the File integrity monitoring rules page.
  3. Click +Add.
  4. After entering the rule name and description, define the scope. The rule scope determines what files are monitored.
    • Base directory(ies): Enter directories to monitor. You can allow multiple directories in a rule.
    • Scan sub-directories: Select to scan files in specified sub-directories.
    • Scan host files: Select to scan files located in the host’s file system.
      Note
      Note
      Enabling scan host files can sometimes impact scan performance.
    • Filenames to include/exclude: Specify particular file names to include or exclude. File names in exclusion have a higher priority than those in inclusion.
Note
Note
Trend-managed rules cannot be modified or deleted but can be duplicated to create a new custom rule that can then be edited.
After creating custom rules, you can manage these rules from the File integrity monitoring rules page.

Define file integrity monitoring rules for policies

Add file integrity monitoring rules to new or existing policies to define the policy target scope. Learn more about Container Security policies.
  1. Go to Cloud SecurityContainer SecurityConfiguration.
  2. On the Policy page, select an existing policy or click +Add.
  3. Under Runtime, select File integrity monitoring.
  4. Click +Add Rule to add file integrity monitoring rules to your policy.
  5. Define the target scope, including namespaces, pod labels, and container names, and then click Submit.
  6. Configure the scan schedule depending on your requirements.