RE: Tripwire

To: debian-user@lists.debian.org
Subject: RE: Tripwire
From: Adam Aube <aaube01@baker.edu>
Date: Thu, 23 Sep 2004 19:15:52 -0400
Message-id: <[🔎] civlet$he5$1@sea.gmane.org>
References: <[🔎] 200409230938.00612.d_baron@012.net.il>

David Baron wrote:

> So ... I have this thing fairly stable. 14 /etc items seem to change daily
> due to their chron or daemon execution. Can live with this. (Results with
> alternatives such as aide should be similar--the ideal monitoring package
> would track upgrades and logrotations et al  and not squawk at these.)

That seems odd - what items in /etc are changing?

> RIght now, I have /var and /proc excluded because of their volativity. I
> assume there are specific items/directories in these which SHOULD be
> monitored. Can anyone tell me which ones?

/proc can safely be ignored. As for /var:

- Log files can grow in size, but should not change ownership or
permissions. This will also sound an alert if your logs are truncated.

- Watching the crontab spool would be a good idea to make sure no one's
slipped something nasty into root's crontab.

Adam

Reply to:

References:
- RE: Tripwire
  - From: David Baron <d_baron@012.net.il>

Prev by Date: Re: Apache 2 error log - Looks like somebody has been trying to break into my machine HELP
Next by Date: Re: sharing a printer with windows
Previous by thread: RE: Tripwire
Next by thread: Re: /dev/pts/0: Operation not permitted (Solved)
Index(es):
- Date
- Thread