[Aide] Which files to monitor?

[Sonixxfx]

Thanks Gary for your response. I am going to follow your advice, it
seems a good solution.

Regards,

Ben

On 8/8/05, GARY GENDEL <ggendel at sarnoff.com> wrote:
> You can do what I did for Solaris.
> 
> Start by a tagging all relevant directories for analysis.  /, /etc,
> /dev, /usr, /var, etc.  You can put obvious work file directories in an
> exclusion rule.
> 
> Then you get one huge report the next day's run.  Analyze the report and
> add rules to exclude files and directories that are "working" files
> (change frequently).
> 
> Over the next few months, you'll get the occational alarms.  Make sure
> they are not real problems, and then add them to your list.
> 
> The problem of taking someone elses rules are that I know of no one that
> has out-of-the-box set up.
> 
> The only bad thing about this "blind" approach is that you're database
> will contain lots of non-critical files, so the runs take a bit longer.
>   However, I'd rather have this than miss something.  In addition, when
> you install something new, you know exactly what it touched.
> 
> Good Luck.
> 
> Sonixxfx wrote:
> > Hi,
> >
> > I would like to use Aide but I'm wondering which files I should
> > monitor on my Linux system. I know there are important files that
> > should be monitored like /etc/passwd for example, but I am wondering
> > how I should handle the other files. There are so many of them and
> > many are changed after each system update, so monitoring them would be
> > difficult, and everyone of them could contain malicious code.
> >
> > So can someone explain to me how I should handle this?
> >
> > Thanks for your help.
> >
> > Regards,
> >
> > Ben
> > _______________________________________________
> > Aide mailing list
> > Aide at cs.tut.fi
> > https://mailman.cs.tut.fi/mailman/listinfo/aide
> >
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>