[Aide] "May not be a directory"

Virolainen Pablo pablo at cs.tut.fi
Sat Dec 10 20:37:46 EET 2005 

On Sat, 10 Dec 2005, Marc Haber wrote:

>> So it would be possible to say that
>> this rule matches only to files/directories. If so, should 'file'
>> understand something not a file?
>
> IMO, if this is implemented, it probably should support all kinds of
> inode type (file, directory, link, socket, block special, character
> special come to mind). aide would have to worry about combinations as
> well, so that it is possible to express things like "it is ok to have
> /var/foo either a plain file or a symbolic link, but not a directory".

Of course we should support every possible combination. It's just easier 
to explain simplified idea. Plain text? Only way to check it is to read 
whole file and check it char by char. Then there is problem with charaster 
encoding.

>> Negative rules were designed to exclude proc (and known nfs mounts). For
>> that it works just fine.
>
> I am actually wondering about selection rules that should apply for
> files, but not for directories. Like "ignore any new
> /var/log/syslog.foo as long as it is a plain file".
>
>> So one would have rule to match only to files
>> !/var/log/syslog.[0-9]+ p file
>> and if I want to match only to directories
>> !/var/log/syslog.[0-9]+ p dir
>
> Or:
>
> /var/log/syslog/(syslog|auth\.log)-[0-9]{8}\.gz$ RotatedLogs+ANF file
>
> (please not that this is not a negative rule)

positive rules requiring stat is not so bad thing. This may require some 
tweaking to node match routine (First check negative. If no negative rules 
match then check positive ones.)

>> (yes... I know that the file/dir could be expressed like normal p+file,
>> but later on we might want to add these rule matching attribures, and
>> we are running out of bits in our 'normal' attributes)
>
> So expanding that bitfield is work for aide 0.12 ;)
>
>> The problem about this approach is that we need to stat the entry before
>> include/exclude decision can be made. This might be problematic with
>> jammed nfs mounts.
>
> Personally, I find it a bad idea to have aide running over remote file
> systems. Shouldn't these file systems be checked on the server?

This is exactly the reason why this kind of feature is not implemented in 
aide. To able to implement the feature, one needs to stat the node. 
Statting nfs mount point means reading data from the server -> thing to 
avoid.

Duke NEMO / C.O.M.A
alias pablo the pallo virolainen

More information about the Aide mailing list