Hi all,
I'm not providing an answer, but rather asking another question on
this topic.
Which files do people exclude when using integrity checkers
(e.g. aide/tripwire etc)?
Under normal system use, certain files do change
(e.g. /etc/mtab, /dev/tty*). Including these files in the integrity
checker's database will certainly produce spurious warning about file
modification each time the checker is run.
So what files are safe to exclude? Is it really necessary to check
for modifications to /usr/share/doc/* ?
I've used tripwire but haven't used aide, so if aide automatically
handles changeable system files this is a moot question.
Dion.
--
Dion's Maxim: If you are ever surprised at just how stupid people can be,
then you haven't understood Dion's Maxim.
