[Aide] Which files to monitor?
GARY GENDEL
ggendel at sarnoff.com
Mon Aug 8 15:11:16 EEST 2005
You can do what I did for Solaris.
Start by a tagging all relevant directories for analysis. /, /etc,
/dev, /usr, /var, etc. You can put obvious work file directories in an
exclusion rule.
Then you get one huge report the next day's run. Analyze the report and
add rules to exclude files and directories that are "working" files
(change frequently).
Over the next few months, you'll get the occational alarms. Make sure
they are not real problems, and then add them to your list.
The problem of taking someone elses rules are that I know of no one that
has out-of-the-box set up.
The only bad thing about this "blind" approach is that you're database
will contain lots of non-critical files, so the runs take a bit longer.
However, I'd rather have this than miss something. In addition, when
you install something new, you know exactly what it touched.
Good Luck.
Sonixxfx wrote:
> Hi,
>
> I would like to use Aide but I'm wondering which files I should
> monitor on my Linux system. I know there are important files that
> should be monitored like /etc/passwd for example, but I am wondering
> how I should handle the other files. There are so many of them and
> many are changed after each system update, so monitoring them would be
> difficult, and everyone of them could contain malicious code.
>
> So can someone explain to me how I should handle this?
>
> Thanks for your help.
>
> Regards,
>
> Ben
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
More information about the Aide
mailing list