[Aide] Directories and files that often change
Eric Webster
ewebster at 2co.com
Tue Jan 2 21:24:45 EET 2007
Glad I could help. Here are some example rules that might help:
Default = p+i+n+u+g+s+b+m+c+md5+sha1
C = p+i+n
T = p+i+u+g
Y = i+n
# No check for MTIME/CTIME.
Z = p+i+n+u+g+s+b+md5+sha1
# No mtime/ctime/link count - useful for /proc
P = p+i+u+g+s+b+md5+sha1
# files that frequently get replaced
Q = p+u+g
# files that change frequently
F = p+i+n+u+g
# Windows default, don't monitor inodes or virtually every file will change
W = p+n+u+g+s+b+m+c+md5+sha1
WF = p+n+u+g+s+b
WZ = p+n+u+g+s+b+md5+sha1
WU = p+n+s+b+md5+sha1
# Windows Equivalent of Growing logfile ">"
WL = p+u+g+n+S
(If you're curious about the Windows rules, it's for monitoring a Windows
2003 server using Cygwin. It actually works!)
Eric Webster
Enterprise Services
2CheckOut.com
_____
From: Sonixxfx [mailto:sonixxfx at gmail.com]
Sent: Tuesday, January 02, 2007 2:13 PM
To: ewebster at 2co.com; Aide user mailinglist
Subject: Re: [Aide] Directories and files that often change
Yes, this has helped!
Thank you Eric. I am already setting up aide to monitor as much as possible,
but I still was wondering about ignoring all these files and directories
because it is mentioned a lot.
So I am already on the right track, it only takes a bit of effort to create
some of the rules, but I am getting there.
Regards,
Ben
2007/1/2, Eric Webster <ewebster at 2co.com>:
Well that would be a nice entry point for an attacker really. They could
add/do what they want within the folder and your IDS wouldn't show. I try to
avoid monitoring whenever possible. Make some really fancy regexps for the
files within it and reduce monitoring of those files to a minimum, such as
Permissions and Groups for example. This way you still get to pick up new
and deleted files within the directory. It might take awhile to get them all
depending on the contents of the directory, but you could also add a rule to
ignore/minimally monitor ever file in it. Hope this helps.
Eric Webster
Enterprise Services
2CheckOut.com
_____
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of
Sonixxfx
Sent: Tuesday, January 02, 2007 1:10 PM
To: Aide user mailinglist
Subject: [Aide] Directories and files that often change
Hi,
I wonder what I should do with files and directories that often change. I
know some people ignore these entirely, but can someone tell me what the
risk of doing that would be?
Thanks
Ben
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.tut.fi/pipermail/aide/attachments/20070102/62e62d93/attachment.html
More information about the Aide
mailing list