[Aide] "May not be a directory"
Virolainen Pablo
pablo at cs.tut.fi
Sat Dec 10 20:37:46 EET 2005
On Sat, 10 Dec 2005, Marc Haber wrote:
>> So it would be possible to say that
>> this rule matches only to files/directories. If so, should 'file'
>> understand something not a file?
>
> IMO, if this is implemented, it probably should support all kinds of
> inode type (file, directory, link, socket, block special, character
> special come to mind). aide would have to worry about combinations as
> well, so that it is possible to express things like "it is ok to have
> /var/foo either a plain file or a symbolic link, but not a directory".
Of course we should support every possible combination. It's just easier
to explain simplified idea. Plain text? Only way to check it is to read
whole file and check it char by char. Then there is problem with charaster
encoding.
>> Negative rules were designed to exclude proc (and known nfs mounts). For
>> that it works just fine.
>
> I am actually wondering about selection rules that should apply for
> files, but not for directories. Like "ignore any new
> /var/log/syslog.foo as long as it is a plain file".
>
>> So one would have rule to match only to files
>> !/var/log/syslog.[0-9]+ p file
>> and if I want to match only to directories
>> !/var/log/syslog.[0-9]+ p dir
>
> Or:
>
> /var/log/syslog/(syslog|auth\.log)-[0-9]{8}\.gz$ RotatedLogs+ANF file
>
> (please not that this is not a negative rule)
positive rules requiring stat is not so bad thing. This may require some
tweaking to node match routine (First check negative. If no negative rules
match then check positive ones.)
>> (yes... I know that the file/dir could be expressed like normal p+file,
>> but later on we might want to add these rule matching attribures, and
>> we are running out of bits in our 'normal' attributes)
>
> So expanding that bitfield is work for aide 0.12 ;)
>
>> The problem about this approach is that we need to stat the entry before
>> include/exclude decision can be made. This might be problematic with
>> jammed nfs mounts.
>
> Personally, I find it a bad idea to have aide running over remote file
> systems. Shouldn't these file systems be checked on the server?
This is exactly the reason why this kind of feature is not implemented in
aide. To able to implement the feature, one needs to stat the node.
Statting nfs mount point means reading data from the server -> thing to
avoid.
Duke NEMO / C.O.M.A
alias pablo the pallo virolainen
More information about the Aide
mailing list