[Aide] aide 0.11 is generating a VERY large database.

Adam Funk a24061 at yahoo.com
Fri Dec 1 14:44:09 EET 2006


On 2006-12-01, Marc Haber <mh+aide at zugschlus.de> wrote:

>> Was there any good reason to include /var/log ?
>
> Any directory might be used by an attacker tohide her binaries.
>
> The package-specific rule sets include rules to exclude the logs that
> are actually used.

With 0.10 as well as 0.11 (before I excluded /var/log), my daily aide
report always showed a lot of changes in /var/log, so I thought not
enough log files that normally change every day were being excluded.

Do you recommend leaving those in and reading the aide differences
every day?



More information about the Aide mailing list