[Aide] Excluding directories
Hannes von Haugwitz
hannes at vonhaugwitz.com
Sat Nov 11 19:11:57 EET 2023
On Tue, Oct 24, 2023 at 10:27:11AM -0700, Jeffrey Shepherd wrote:
> Are these recommendations valid? What are the implications of omitting
> /opt, /run, and /var? I know (for example) with !/opt an attacker
> could come in and place a rootkit in /opt.
It depends...
If you want to monitor a system for malicious file changes it might not
be a good idea to exclude such directories.
Writing an aide configuration is time consuming and a lot of work, if
you want to reduce false positive reports of changed files to a minimum.
The Debian/Ubuntu package for example provides a huge amount of
fine-grained rules for numerous packages[0].
Best regards
Hannes
[0] https://salsa.debian.org/debian/aide/-/tree/master/debian/aide.conf.d
More information about the Aide
mailing list