Directory Watching enables LFD to check /tmp and /dev/shm and other added directories for suspicious files.
Only one alert per file is sent until LFD is restarted, so if you remove a suspicious file, remember to restart LFD
If you want to remove suspicious files found during directory watching then enable LF_DIRWATCH_DISABLE in /etc/csf/csf.conf.
The suspicious files will be appended to a tarball in /var/lib/csf/suspicious.tar and deleted from their original location. Symlinks
are simply removed. If you want to extract the tarball to your current location, use the following command as it will preserver the path and permissions of the original file:
tar -xpf /var/lib/csf/suspicious.tarAny false-positives can be added to /etc/csf/csf.fignore and LFD will then
ignore those listed files and directories. You must specify the full path to the file.
You can also use perl regular expression pattern matching, for example:
/tmp/clamav.*
/tmp/.*\.wrk
user:bobFiles owned by root are ignored.
For information on perl regular expressions: http://www.perl.com/doc/manual/html/pod/perlre.html
You can monitor custom files or directories by enabling LF_DIRWATCH_FILE in /etc/csf/csf.conf. This
option allows you to have LFD watch a particular file or directory for changes and email alert using. It uses a
simple md5sum match from the output of "ls -laAR" on the entry and so will
traverse directories if specified.
| File | Description |
|---|---|
/etc/csf/csf.conf |
LF_DIRWATCH LF_DIRWATCH_DISABLE LF_DIRWATCH_FILE LF_INTEGRITY configuration options. |
/etc/csf/csf.fignore |
Whitelist either usernames or full paths to binaries. |
/usr/local/csf/tpl/filealert.txt |
Suspicious file alert email template. |
/usr/local/csf/tpl/integrityalert.txt |
System integrity alert email template. |
/usr/local/csf/tpl/watchalert.txt |
Watched file and directory change alert email template. |