[Aide] Directories and files that often change

Eric Webster ewebster at 2co.com
Tue Jan 2 21:24:45 EET 2007


Glad I could help. Here are some example rules that might help:
 
Default = p+i+n+u+g+s+b+m+c+md5+sha1
C       = p+i+n
T       = p+i+u+g
Y       = i+n
# No check for MTIME/CTIME.
Z       = p+i+n+u+g+s+b+md5+sha1
# No mtime/ctime/link count - useful for /proc
P       = p+i+u+g+s+b+md5+sha1
# files that frequently get replaced
Q       = p+u+g
# files that change frequently
F       = p+i+n+u+g
# Windows default, don't monitor inodes or virtually every file will change
W       = p+n+u+g+s+b+m+c+md5+sha1
WF      = p+n+u+g+s+b
WZ      = p+n+u+g+s+b+md5+sha1
WU      = p+n+s+b+md5+sha1
# Windows Equivalent of Growing logfile ">"
WL      = p+u+g+n+S

(If you're curious about the Windows rules, it's for monitoring a Windows
2003 server using Cygwin. It actually works!)
 

Eric Webster
Enterprise Services
2CheckOut.com 

 


  _____  

From: Sonixxfx [mailto:sonixxfx at gmail.com] 
Sent: Tuesday, January 02, 2007 2:13 PM
To: ewebster at 2co.com; Aide user mailinglist
Subject: Re: [Aide] Directories and files that often change


Yes, this has helped!

Thank you Eric. I am already setting up aide to monitor as much as possible,
but I still was wondering about ignoring all these files and directories
because it is mentioned a lot.
So I am already on the right track, it only takes a bit of effort to create
some of the rules, but I am getting there. 

Regards,

Ben



2007/1/2, Eric Webster <ewebster at 2co.com>: 

Well that would be a nice entry point for an attacker really. They could
add/do what they want within the folder and your IDS wouldn't show. I try to
avoid monitoring whenever possible. Make some really fancy regexps for the
files within it and reduce monitoring of those files to a minimum, such as
Permissions and Groups for example. This way you still get to pick up new
and deleted files within the directory. It might take awhile to get them all
depending on the contents of the directory, but you could also add a rule to
ignore/minimally monitor ever file in it. Hope this helps.
 

Eric Webster
Enterprise Services
2CheckOut.com 

 


  _____  

From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of
Sonixxfx
Sent: Tuesday, January 02, 2007 1:10 PM
To: Aide user mailinglist
Subject: [Aide] Directories and files that often change



Hi,

I wonder what I should do with files and directories that often change. I
know some people ignore these entirely, but can someone tell me what the
risk of doing that would be?

Thanks

Ben



_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.tut.fi/pipermail/aide/attachments/20070102/62e62d93/attachment.html 


More information about the Aide mailing list