Goal Summary:

Traditional file integrity monitoring solutions like AIDE and raw auditd logs are insufficient. They tell customers that a critical file changed, but they don't provide the crucial security context—forcing teams to spend unacceptable amounts of time manually correlating low-level events to determine who, what process, and why the change occurred.

We have developed a brand-new File Activity Monitoring solution based on eBPF that runs directly in the kernel, enabling deep, low-overhead observability.

This solution moves beyond simple integrity checks to deliver complete, correlated contextual intelligence in real-time.

This eBPF kernel functionality is the future of security monitoring, providing clear value not just for RHCOS, but for all RHEL and OCPVirt users. 

Goals and expected user outcomes:

• RHEL customers can install such functionality and benefit from it
• OCPVirt using running RHEL VMs can install such functionality and benefit from it
• Alerting from both of these platforms will be build in a similar fashion to ACS with the intention that user can forward violations from any of these platforms to a SIEM.

Acceptance Criteria:

• Users can installed FIM agent in RHEL and OCPVirt
• Node alerts are constructed identical to the ones in ACS

Success Criteria or KPIs measured:

TBD