File change detection

File change detection is a trigger associated with a rule. Triggers when a nominated file is modified, including created or deleted.

Linux

The LinuxFileChangeTrigger class watches directories to detect changes in files. When a file is created, edited, deleted, or renamed, it generates an event. The class checks if the file is important for a policy. If not, it ignores the event but logs it for debugging.

A file refers to any named object within a Linux filesystem directory. It can include any of the following:

• A regular file.

• A subdirectory.

• A symbolic link (the link itself, not the filesystem object being pointed to).

• A socket.

• A pipe.

• A block device.

• A character device.

Actions that can be detected on a file:

• Creation.

• Deletion.

• Renaming (but see below).

• Change of contents (when the file is closed).

• Change of properties (e.g. permissions).

• In policy terms, a file is tracked by its path. If the file is renamed and moved, a trigger occurs, but the 1E Client loses track of it. If an unmonitored file is renamed to a monitored path, a trigger happens when it arrives. A file can be linked to multiple policies, and each gets notified of changes.

• To avoid an excessive number of events from a frequently changing file, the 1E Client only generates an event if at least two seconds have passed since the previous one. This interval is fixed and cannot be changed.

• If the parent directory of a file doesn't exist when the 1E Client starts, the file can't be monitored immediately. Once the directory is created, the 1E Client will begin monitoring the file within about a minute.

• Pseudo-filesystems like /proc, /sys, and /dev/pts cannot be monitored, meaning file changes in these locations go undetected. The API does not report an error when attempting to monitor /proc (e.g., to track /proc/1), no events are generated when objects within /proc change.