Inotify is the Malware Detection module’s filesystem monitoring tool. It detects if a file has been uploaded to the server or has been modified and triggers the Malware Detection module to check the file.
– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify
– If there are a lot of file changes or uploads on the server constantly Inotify might increase the server’s load
– AuditD requires much less resource on the server and it is also faster than Inotify
Check if AuditD can be used
- To start AuditD temporally with this command:
bitninjacli --module=MalwareDetection --use-auditd
- Check if the necessary AuditD rules are generated. You can do that with
auditctl -l
- AuditD will log to the same file so you can check if AuditD is running with
tail -f /var/log/bitninja/inotify/inotify.log
Enable AuditD permanently
You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.
- Open the Configuration menu on your BitNinja dashboard.
- Select the setting level on the left side. (server-level, server group-level, account-level)
- Select the Malware Detection module.
- Scroll down and select the “Advanced settings” menu at the bottom.
- Change the File system monitor to auditd.
- Click on the Save button at the top of the page.
- Restart BitNinja with the
service bitninja restart
command.