Forum: Cfengine Help Subject: Re: depth_search exclude files in tripwire changes Author: steve Link to topic: https://cfengine.com/forum/read.php?3,19372,19421#msg-19421
Hi Neil, Thanks for your advice, maybe I did not explain the problem clearly, the issue I have is that ntp keeps touching a file /etc/adjtime and I want to quiet down the alerts by excluding this (and possibly others) . Now, if I use the above example to exclude adjtime, not only does it exclude /etc/adjtime, but it excludes /usr/bin/adjtime /usr/sbin/adjtime and any other place a tripwire runs where a file "adjtime" could exist, it is a problem for detecting an intruder who read the cfengine configs who might for example copy "rootshell.bin" to one of those locations as 'adjtime', and the tripwire would just happily ignore it. My tripwire is set as to catch content changes and permissions. The solution I have is not just a problem for intrusions, it is sloppy, I want to specifically exclude /etc/adjtime (or any other such file) by path and filename. Thanks for your help, Steve. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
