On Thu, 23 Sep 2004, David Baron wrote:
> RIght now, I have /var and /proc excluded because of their volativity. I
> assume there are specific items/directories in these which SHOULD be
> monitored. Can anyone tell me which ones?
every directory should be monitored ... no exceptions
because things change in /tmp and /var ...
- that is precisely why the script kiddies uses scripts that
put(hide) their trojans in those directories since its constantly
- best monitor would be:
- do a good/better job of hardening your servers .. instead of
depending on tools that may work in some instances and fails in
other cases ( at least better job of protecting it than the script
kiddies attacking your boxes )
- the attacker will exploit your weakest point in the server
( directories yu probably will not be watching due to its clutter )