I don't know whether it's good practice, but I used to update the policy regularly just to get rid of the mountain of reports regarding files that always change. It is almost impossible to add them all to the policy at the beginning, so I added them as I went along to reduce the output from tripwire. Gradually you reduce the report down to the truly essential data, which, while still large, is not full of false alarms. Reading the whole report every day was very time consuming initially.
It's the files that *don't normally change* that you want to be checked, they're the ones that you want notification on. Log files and temp files are always changing so they are worthless as a security metric. Of course policies vary according to what the system is and what it is used for.
Last edited by smoker; 07-01-2010 at 10:51 PM.
|