[Aide] Excluding directories
Jeffrey Shepherd
shepherd at spawar.navy.mil
Tue Oct 24 20:27:11 EEST 2023
I used AIDE as a STIG requirement and use it for the most part in its default configuration. I came across some Openstack documentation that makes the following notes:
# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
security_aide_exclude_dirs:
- /openstack
- /opt
- /run
- /var
Are these recommendations valid? What are the implications of omitting /opt, /run, and /var? I know (for example) with !/opt an attacker could come in and place a rootkit in /opt. But couldn’t an attacker just check aide.conf and find an excluded directory to put their rootkit in?
v/r
Jeff Shepherd
shepherd at spawar.navy.mil
FS: jeffrey.k.shepherd.ctr at us.navy.mil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20231024/fe066cb8/attachment.htm>
More information about the Aide
mailing list