[EMAIL PROTECTED] (Dion Mendel) writes: > I'm not providing an answer, but rather asking another question on this > topic. > > Which files do people exclude when using integrity checkers (e.g. > aide/tripwire etc)? > > Under normal system use, certain files do change (e.g. /etc/mtab,
That does? Maybe on your box if you're [u]mounting things a lot, I suppose, but that's not always the case. If it causes you hassle, ignore it by all means :8) > /dev/tty*). Including these files in the integrity checker's database > will certainly produce spurious warning about file modification each time > the checker is run. > > So what files are safe to exclude? Is it really necessary to check for > modifications to /usr/share/doc/* ? I would say that it's possible a file could be created in any of those directories (c.f. where various trojans and worms and kits put their files by default - /dev/.lib/, /usr/lib/ and so on), therefore it should be checked. Run aide frequently and keep the number of files changed down by refreshing the database every thing you dist-upgrade; also, get used to what it tells you - e.g. /dev/console and a few others changing is indicative of a reboot, you soon get used to identifying that. I've compromised on avoiding checking all of: | zsh/scr, potato 5:06PM # grep '^!' /etc/aide/aide.conf | !/var/log/snort | !/dev/pts | !/var/run | !/home but anything else is most definitely being checked, with various combinations of options as per the default config file. > I've used tripwire but haven't used aide, so if aide automatically > handles changeable system files this is a moot question. It handles them if you set it up properly ;8) ~Tim -- <http://spodzone.org.uk/>
