Description
The file_integrity module sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. This issue is intended to track dev issues/requirements to support Auditbeat's FIM capabilities with Elastic Agent.
Research Items
Before we start development of FIM with agent, we should consider any architectural changes that may be worth investing in, to avoid significant and/or breaking changes down the line. Examples include:
-
Auditbeat does not capture 'who' accessed/modified/deleted a file, a basic requirement for FIM use cases. How do we capture username? We currently use inotify (Linux), FSEvents (Mac) and ReadDirectoryChangesW (Windows) - are there alternative APIs we can use that will expose the user information for FIM events.
-
Should we adopt fanotify for Linux FIM instead of inotify - are there any performance improvements in doing so?
-
FIM configuration is currently done within a yml file, which isn't user friendly and we want to avoid this approach in this new integration. Can we ensure that settings exist within the integration to easily modify the configuration options. Could Endpoint Event Filters be an option to specify file paths to monitor, inclusions/exclusions, etc - possibly based on ECS file fields such as file.name and file.extension.
Description
The file_integrity module sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. This issue is intended to track dev issues/requirements to support Auditbeat's FIM capabilities with Elastic Agent.
Research Items
Before we start development of FIM with agent, we should consider any architectural changes that may be worth investing in, to avoid significant and/or breaking changes down the line. Examples include:
Auditbeat does not capture 'who' accessed/modified/deleted a file, a basic requirement for FIM use cases. How do we capture username? We currently use inotify (Linux), FSEvents (Mac) and ReadDirectoryChangesW (Windows) - are there alternative APIs we can use that will expose the user information for FIM events.
Should we adopt fanotify for Linux FIM instead of inotify - are there any performance improvements in doing so?
FIM configuration is currently done within a yml file, which isn't user friendly and we want to avoid this approach in this new integration. Can we ensure that settings exist within the integration to easily modify the configuration options. Could Endpoint Event Filters be an option to specify file paths to monitor, inclusions/exclusions, etc - possibly based on ECS file fields such as
file.nameandfile.extension.