[Aide] Directories and files that often change
Marc Haber
mh+aide at zugschlus.de
Tue Jan 2 22:04:20 EET 2007
On Tue, Jan 02, 2007 at 02:01:52PM -0500, Eric Webster wrote:
> Well that would be a nice entry point for an attacker really. They could
> add/do what they want within the folder and your IDS wouldn't show. I try to
> avoid monitoring whenever possible. Make some really fancy regexps for the
> files within it and reduce monitoring of those files to a minimum, such as
> Permissions and Groups for example. This way you still get to pick up new
> and deleted files within the directory. It might take awhile to get them all
> depending on the contents of the directory, but you could also add a rule to
> ignore/minimally monitor ever file in it. Hope this helps.
I agree with you here.
Maybe, the configuration of the Debian aide packages can help as an
example. The public svn shows them on
http://svn.debian.org/wsvn/pkg-aide/trunk/debian/aide.conf.d/?rev=0&sc=0
and
http://svn.debian.org/wsvn/pkg-aide/trunk/debian/aide.conf.zg2.d/?rev=0&sc=0
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Aide
mailing list