Directory Watching

Directory Watching enables LFD to check /tmp and /dev/shm and other added directories for suspicious files.

Only one alert per file is sent until LFD is restarted, so if you remove a suspicious file, remember to restart LFD

If you want to remove suspicious files found during directory watching then enable LF_DIRWATCH_DISABLE in /etc/csf/csf.conf. The suspicious files will be appended to a tarball in /var/lib/csf/suspicious.tar and deleted from their original location. Symlinks are simply removed. If you want to extract the tarball to your current location, use the following command as it will preserver the path and permissions of the original file:

tar -xpf /var/lib/csf/suspicious.tar

Directory Watching Ignore

Any false-positives can be added to /etc/csf/csf.fignore and LFD will then ignore those listed files and directories. You must specify the full path to the file. You can also use perl regular expression pattern matching, for example:

/tmp/clamav.*
/tmp/.*\.wrk
user:bob
  1. Remember that you will need to escape special characters (precede them with a backslash) such as . \?
  2. Pattern matching will only occur with strings containing an asterisk (*), otherwise full file path matching will be applied.
  3. You can also add entries to ignore files owner by a particular user by preceding it with user:.

Files owned by root are ignored.

For information on perl regular expressions: http://www.perl.com/doc/manual/html/pod/perlre.html

Watch Custom Files or Directories

You can monitor custom files or directories by enabling LF_DIRWATCH_FILE in /etc/csf/csf.conf. This option allows you to have LFD watch a particular file or directory for changes and email alert using. It uses a simple md5sum match from the output of "ls -laAR" on the entry and so will traverse directories if specified.

Related Files

File Description
/etc/csf/csf.conf LF_DIRWATCH LF_DIRWATCH_DISABLE LF_DIRWATCH_FILE LF_INTEGRITY configuration options.
/etc/csf/csf.fignore Whitelist either usernames or full paths to binaries.
/usr/local/csf/tpl/filealert.txt Suspicious file alert email template.
/usr/local/csf/tpl/integrityalert.txt System integrity alert email template.
/usr/local/csf/tpl/watchalert.txt Watched file and directory change alert email template.

Related Pages