Re: AIDE Information Overload
quietude@iinet.net.au (Dion Mendel) writes:
> I'm not providing an answer, but rather asking another question on this
> topic.
>
> Which files do people exclude when using integrity checkers (e.g.
> aide/tripwire etc)?
>
> Under normal system use, certain files do change (e.g. /etc/mtab,
That does? Maybe on your box if you're [u]mounting things a lot, I suppose,
but that's not always the case. If it causes you hassle, ignore it by all
means :8)
> /dev/tty*). Including these files in the integrity checker's database
> will certainly produce spurious warning about file modification each time
> the checker is run.
>
> So what files are safe to exclude? Is it really necessary to check for
> modifications to /usr/share/doc/* ?
I would say that it's possible a file could be created in any of those
directories (c.f. where various trojans and worms and kits put their files
by default - /dev/.lib/, /usr/lib/ and so on), therefore it should be
checked.
Run aide frequently and keep the number of files changed down by refreshing
the database every thing you dist-upgrade; also, get used to what it tells
you - e.g. /dev/console and a few others changing is indicative of a reboot,
you soon get used to identifying that.
I've compromised on avoiding checking all of:
| zsh/scr, potato 5:06PM # grep '^!' /etc/aide/aide.conf
| !/var/log/snort
| !/dev/pts
| !/var/run
| !/home
but anything else is most definitely being checked, with various
combinations of options as per the default config file.
> I've used tripwire but haven't used aide, so if aide automatically
> handles changeable system files this is a moot question.
It handles them if you set it up properly ;8)
~Tim
--
<http://spodzone.org.uk/>
Reply to: