[Aide] Aide - Clamav integration

[roman]

7 Dec 2005 14:07 Richard van den Berg wrote:
> Miner, Jonathan W (CSC) (US SSA) wrote:
(1)
> > Ideally, the AV software should maintain a database of which files
> > were scanned with which version of the definitions.  Then any time
> > either the definitions or the files change, then scanning whould be
> > performed.
>
(2)
> All this can done using the File Alteration Monitor, see
> http://oss.sgi.com/projects/fam/
>
> Sincerely,
>
> Richard van den Berg

1. I think that wouldn't be ideally. We have too big fs's now on not 
so fast hwere.  The process you've described will be too expensive
for system. And maybe av swere shouldn't replace system integrity checkers.

2. FAM is bad replacement for aide.
Fam is "the daemon that listens for requests and delivers notification" in 
real time. It's not suit for monitoring big fs's.

"Does FAM have any limitations? 

One level: FAM was designed to monitor only one level deep. That is, if you 
monitor a directory, FAM will report full details of any files changing in 
that directory, the directory name if a file one level one level deeper 
changed, and nothing if the event occurs deeper than that. This makes FAM 
well-suited for graphical file managers (which typically only show the 
contents of one directory at a time) or other programs that monitor files 
they know the names of, but it will mean a little bit of work if you want FAM 
to report all changes on a file system.

Does FAM have any bugs? 

Rapid requests: If a client monitors a directory containing several thousand 
files or several hundred directories and fam is built with the DNotify patch, 
fam will start to use lots of CPU time and stop reporting changes. This issue 
has been resolved in a recent GNU C library release."
					(From http://oss.sgi.com/projects/fam/faq.html)'

"What events does FAM report? 

FAM can report when a file is created, deleted, modified, or executed. See 
Events.h in the source code for more details."

No checksums or db handling.

Roman