[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Tripwire

David Baron wrote:

> So ... I have this thing fairly stable. 14 /etc items seem to change daily
> due to their chron or daemon execution. Can live with this. (Results with
> alternatives such as aide should be similar--the ideal monitoring package
> would track upgrades and logrotations et al  and not squawk at these.)

That seems odd - what items in /etc are changing?

> RIght now, I have /var and /proc excluded because of their volativity. I
> assume there are specific items/directories in these which SHOULD be
> monitored. Can anyone tell me which ones?

/proc can safely be ignored. As for /var:

- Log files can grow in size, but should not change ownership or
permissions. This will also sound an alert if your logs are truncated.

- Watching the crontab spool would be a good idea to make sure no one's
slipped something nasty into root's crontab.


Reply to: