Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Integrity Monitoring Rule 1002770 - UNIX - File Attributes Changes in /usr location has been split into separate rules

    • Updated:
    • 27 Jun 2017
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • N/A N/A
Summary

The Integrity Monitoring (IM) Rule 1002770 - UNIX - File Attributes Changes in /usr location has been separated into two (2) different rules.

  • 1002770 - Unix - File Attributes Changes In /usr/bin And /usr/sbin Locations
  • 1008464 - Unix - File Attributes Changes In /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local Locations

The separation aims to achieve more selective monitoring and to help reduce noise. This article explains the two new rules in Deep Security.

Details
Public

The original rule "1002770 - UNIX - File Attributes Changes in /usr location" has monitored large amount of entities under the /usr/ directory. The following rules are modified to monitor files under specific directories only:

  • 1002770 - Unix - File Attributes Changes In /usr/bin And /usr/sbin Locations
    • /usr/bin/
    • /usr/sbin/
  • 1008464 - Unix - File Attributes Changes In /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local Locations
    • /usr/etc/
    • /usr/local/
    • /usr/lib/
    • /usr/lib64/
    • /usr/libexec/

You may notice the exclusion of /usr/share/ directory, which typically contains the highest number of files in the /usr/ directory. The said location can be optionally added in the configuration of Rule 1008464 as shown in the image below.

Adding /usr/share/ directory to Rule 1008464

Although these rules are now limited to specific directories under /usr/, both are still configurable. This allows better monitoring control as you can include or exclude any desired directories under /usr/. However, the option to include directory is only available in Rule 1008464. With this ability, it is possible to monitor all the entities similar to the previous behavior of the original Rule 1002770.

This approach decreases the amount of entities included in the baseline, as well as makes the system supervision more detailed, segregated, and controlled.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1117661
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.