RE: Tripwire
David Baron wrote:
> So ... I have this thing fairly stable. 14 /etc items seem to change daily
> due to their chron or daemon execution. Can live with this. (Results with
> alternatives such as aide should be similar--the ideal monitoring package
> would track upgrades and logrotations et al and not squawk at these.)
That seems odd - what items in /etc are changing?
> RIght now, I have /var and /proc excluded because of their volativity. I
> assume there are specific items/directories in these which SHOULD be
> monitored. Can anyone tell me which ones?
/proc can safely be ignored. As for /var:
- Log files can grow in size, but should not change ownership or
permissions. This will also sound an alert if your logs are truncated.
- Watching the crontab spool would be a good idea to make sure no one's
slipped something nasty into root's crontab.
Adam
Reply to: