Re: [Integrit-users] Good rule for the logs directory
Brought to you by:
ecashin
Menu
▾
▴
Re: [Integrit-users] Good rule for the logs directory
|
From: Ed L C. <ec...@te...> - 2001-08-31 20:03:16
|
<tw...@it...> writes: > I am currently ignoring the log directory /var/log with integrit because I > could not get it to give me reasonable output. That is to say every option > I tried returned data every day. > > For now I have disabled any integrit checking of /var/log altogether. > > Basically I was wondering if anyone had a rule for /var/log that checked > for a few things but did not have so many false positives. The example root.conf configuration file in the "examples" directory of the source distribution includes this configuration, which I find helpful: /var/log SIMC But you can figure that out yourself: if integrit gives you output you don't need, just look at what kind of output it is and then make a rule that ignores it specifically. For example, if the checksum (s), inode number (i), modification (m) and change (c) times always change, then you know you need the above rule to turn off those checks. -- --Ed Cashin PGP public key: ec...@te... http://www.terry.uga.edu/~ecashin/pgp/ |
