File integrity monitoring

Views:

File integrity monitoring detects file changes to critical areas of containers by comparing their current state to a pre-established baseline. It scans files for unexpected changes and logs an event if a deviation is found, providing visibility into potential security threats.

File integrity monitor rules enables the scan engine to determine which folders to monitor and which file names to exclude. You can use Trend-manged rules, which are predefined, or create your own custom rules to better suite your environment.

Enable file integrity monitoring

Amazon ECS: Create an ECS policy with file integrity monitoring rules and apply it to the clusters you want to protect.

Note

File integrity monitoring is a runtime feature. Ensure that the Runtime Security toggle is enabled at the cluster level before enabling file integrity monitoring.

Kubernetes: You can enable file integrity monitoring when you add a new cluster in Container Security or you can upgrade Helm chart for existing clusters by adding the following to the overrides.yaml file:
```
    fileIntegrityMonitoring:
        enabled: true
```

After file integrity monitoring is enabled and rules are added to a policy, you can view events in Cloud Security → Container Security → Log → File Integrity Monitoring when file changes occur.

Create custom, user-managed rules

Go to Cloud Security → Container Security → Configuration.
Click Object management and go to the File integrity monitoring rules page.
Click +Add.
Enter the rule name and description.

Define the file scope by choosing whether to scan the container file system or the host file system.

Note

AWS Fargate environments do not have access to host file systems. Selecting "Host" excludes this rule from being applied to AWS Fargate environments.

The rule scope determines what files are monitored.

Base directory(ies): Enter directories to monitor. You can specify multiple directories in a rule.
Filenames to include: Specify file name patterns to include in the scan.
Filenames to exclude: Specify file name patterns to exclude from the scan.

Note

Trend-managed rules cannot be modified or deleted but can be duplicated to create a new custom rule that can then be edited.

After creating custom rules, you can manage these rules from the File integrity monitoring rules page.

Define file integrity monitoring rules for policies

Add file integrity monitoring rules to new or existing policies to define the policy target scope. Learn more about Container Security policies.

Go to Cloud Security → Container Security → Configuration.
On the Policy page, select an existing policy or click +Add.
Under Runtime, select File integrity monitoring.
Click +Add Rule to add file integrity monitoring rules to your policy.
Define the target scope, and then click Submit.
- For Kubernetes: Includes a namespace pattern, a container name pattern, and pod labels.
- For Amazon ECS: Includes a container name pattern and task definition patterns.
Configure the scan schedule depending on your requirements.