Inotify is the Malware Detection module’s filesystem monitoring tool. It detects if a file has been uploaded to the server or has been modified and triggers the Malware Detection module to check the file.
– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify
– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify
Check if AuditD can be used
- start AuditD temporally with this command:
bitninjacli --module=MalwareDetection --use-auditd
- Check if the necessary AuditD rules are generated. You can do that with
auditctl -l
- AuditD will log to the same file so you can check if AuditD is running with
tail -f /var/log/bitninja/inotify/inotify.log
Enable AuditD permanently
To enable AuditD permanently you just need to modify the Malware detection module’s config file:
- Open
/etc/bitninja/MalwareDetection/config.ini
with a preferred text editor
e.g.:nano /etc/bitninja/MalwareDetection/config.ini
- Find the
[FileSystemMonitor]
flag in the file- e.g.: in nano press
ctrl + w
and then type in “[File”
- e.g.: in nano press
- Replace the code block on the screenshot with the lines below. Or delete the lower four line’s semicolons and change the order of the
monitor_order[]
lines so'auditd'
will be the first - Save the changes and exit from the text editor
- e.g.: in nano press
ctrl + x
then pressy
and then press enter
- e.g.: in nano press
- Restart BitNinja with
service bitninja restart
command
[FileSystemMonitor]
monitor_type = 'auditd'
monitor_order[] = 'auditd'
monitor_order[] = 'inotify'
monitor_order[] = 'nullMonitor'