Skip to main content

Monitoring Modes with Intezer Protect

  • Updated

Monitoring Modes

Intezer Protect supports multiple runtime monitoring modes to support a wide range of runtime environments.

By default, the sensor will try to use Audit mode if:

  • The kernel version is supported
  • The audit netlink socket is available
  • There are no preexisting audit rules

In any other case, the sensor will use Query mode.

Audit mode

This mode performs real-time monitoring of running code and file access activity using Linux Audit Framework.

Requirements

  • The following operating system:
      • Ubuntu LTS 16.04 and up
      • RHEL 8 and up
      • CentOS 8 and up
      • Amazon Linux 2 and up
  • Auditd or any other audit client should be disabled to allow access to the audit netlink socket
  • No existing audit rules

Query mode

This mode performs monitoring of code execution by sampling the /proc file system in a fixed rate.

Requirements

  • The following operating system:
    • Ubuntu LTS 14.04 and up
    • RHEL 6 and up
    • CentOS 6 and up
    • Amazon Linux 1 and up

Caveats

  • Short-living processes with runtime that is shorter than the sampling rate might be ignored
  • This mode does not support file access monitoring (FIM)
Return to top