[Aide] Once more, questions about ANF/ARF

Marc Haber mh+aide at zugschlus.de
Mon Feb 20 13:48:35 EET 2006

On Mon, Feb 20, 2006 at 12:43:00PM +0100, Richard van den Berg wrote:
> Marc Haber wrote:
> > How would you handle this in a daily cron job? I am thinking about
> > using --update always, and copying the new database to the old
> > database if aide output parses
> > ### All files match AIDE database. Looks okay!
> > 
> > What do you think about that idea?
> I think that is a bad idea. Updating aide.db without manual intervention 
> is dangerous. If a backdoor was added to your system, it will only be 
> reported once, after which the changes to your file system are updated 
> in aide.db automatically.

I do not understand.

If a backdoor was added to the system, aide would complain about the
changed file, and the database would not be updated. If aide didn't
detect the backdoor once, the database would be updated, but aide
wouldn't detect that change the next run anyway.

> I think the ANF/ARF directives have their uses, but it might not be to 
> track rotating log files by inode number.

So you instead recommend excluding all possible log file names from
the aide database completely?


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Aide mailing list