Directory Watching enables LFD to check /tmp and /dev/shm and other added directories for suspicious files.
Only one alert per file is sent until LFD is restarted, so if you remove a suspicious file, remember to restart LFD
If you want to remove suspicious files found during directory watching then enable
The suspicious files will be appended to a tarball in
/var/lib/csf/suspicious.tar and deleted from their original location. Symlinks
are simply removed. If you want to extract the tarball to your current location, use the following command as it will preserver the path and permissions of the original file:
tar -xpf /var/lib/csf/suspicious.tar
Any false-positives can be added to
/etc/csf/csf.fignore and LFD will then
ignore those listed files and directories. You must specify the full path to the file.
You can also use perl regular expression pattern matching, for example:
/tmp/clamav.* /tmp/.*\.wrk user:bob
Files owned by root are ignored.
For information on perl regular expressions: http://www.perl.com/doc/manual/html/pod/perlre.html
You can monitor custom files or directories by enabling
option allows you to have LFD watch a particular file or directory for changes and email alert using. It uses a
simple md5sum match from the output of "ls -laAR" on the entry and so will
traverse directories if specified.
||Whitelist either usernames or full paths to binaries.|
||Suspicious file alert email template.|
||System integrity alert email template.|
||Watched file and directory change alert email template.|