Re: AIDE Information Overload

To: debian-security@lists.debian.org
Subject: Re: AIDE Information Overload
From: quietude@iinet.net.au (Dion Mendel)
Date: Tue, 22 Oct 2002 23:36:06 +0800
Message-id: <[🔎] 20021022153606.GC1019@localhost>
In-reply-to: <[🔎] 200210221628.02393.kjetil@kjernsmo.net>
References: <[🔎] 200210221628.02393.kjetil@kjernsmo.net>

Hi all,

I'm not providing an answer, but rather asking another question on
this topic.

Which files do people exclude when using integrity checkers
(e.g. aide/tripwire etc)?

Under normal system use, certain files do change
(e.g. /etc/mtab, /dev/tty*).  Including these files in the integrity
checker's database will certainly produce spurious warning about file
modification each time the checker is run.

So what files are safe to exclude?  Is it really necessary to check
for modifications to /usr/share/doc/* ?

I've used tripwire but haven't used aide, so if aide automatically
handles changeable system files this is a moot question.

Dion.

-- 
Dion's Maxim:  If you are ever surprised at just how stupid people can be,
               then you haven't understood Dion's Maxim.

Reply to:

Follow-Ups:
- Re: AIDE Information Overload
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: AIDE Information Overload
  - From: "Noah L. Meyerhans" <noahm@debian.org>

References:
- AIDE Information Overload
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

Prev by Date: Apache Security Release
Next by Date: Re: Apache Security Release
Previous by thread: Re: AIDE Information Overload
Next by thread: Re: AIDE Information Overload
Index(es):
- Date
- Thread