I used AIDE as a STIG requirement and use it for the most part in its default configuration. I came across some Openstack documentation that makes the following notes:
# The default Ubuntu configuration for AIDE will cause it to wander into some # terrible places on the system, such as /var/lib/lxc and images in /opt. # The following three default exclusions are highly recommended for AIDE to # work properly, but additional exclusions can be added to this list if needed. security_aide_exclude_dirs: - /openstack - /opt - /run - /var Are these recommendations valid? What are the implications of omitting /opt, /run, and /var? I know (for example) with !/opt an attacker could come in and place a rootkit in /opt. But couldn’t an attacker just check aide.conf and find an excluded directory to put their rootkit in? v/r Jeff Shepherd [email protected] FS: [email protected]
_______________________________________________ Aide mailing list [email protected] https://www.ipi.fi/mailman/listinfo/aide
