[Aide] Problems with AIDE on Debian Sarge (0.10).
Richard van den Berg
richard at vdberg.org
Mon Sep 5 23:33:10 EEST 2005
Virgo Pärna wrote:
> Ever since I upgraded my Debian Woody computers to Sarge I'm having
> trouble with AIDE (0.10-6.1). It sometimes shows that files have been
> added to root file system (on ext3) under /bin, /sbin, /lib directories
> - but those files existed before. Usually it works fine for some time -
> shows the differences until I do aide --update and then copy aide.db.new
> over aide.db. Then in the next day some files show up as added. I have
> not noticed any signs of intrusion. Looking the mailing list archives I
> noticed, that there are several problems with AIDE 0.10 - could this be
> one of them?
If I recall correctly, the problems that have been reported before were
about changes of some files, not the addition of files. Those are 2
different things entirely. Aide scans the filesystem for files to add to
the database. When in checking mode, it does the same scan, comparing
the files on the filesystem with the database. If aide says files have
been added, they are not in the database. So either they were not there,
or the initial scan did not see them. This first thing I would do is a
full fsck of your filesystems.
If you receive reports of added files, do a grep on the aide.db (it's
just a text file, optionally gzip compressed) to see if the file indeed
is not there. If it is there, aide is to blame for sure.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list