[Aide] Once more, questions about ANF/ARF
Richard van den Berg
richard at vdberg.org
Mon Feb 20 14:28:40 EET 2006
Marc Haber wrote:
> If a backdoor was added to the system, aide would complain about the
> changed file, and the database would not be updated.
Are you planning to implement this logic yourself? Aide when run with
--update will always update the database, reporting the differences
found. So the danger is that if you miss that 1 report about the
changes, you are screwed. With the current situation, aide will report
the differences every time until an administrator manually updates the
database (and of course checks the output to make sure no malicious
updates were committed to the aide.db).
> So you instead recommend excluding all possible log file names from
> the aide database completely?
Add them, but don't do strict checks. I use the L (p+i+n+u+g) rule for
log directories. Since my system has been running for a looong time, all
my log files have been created, and as they turn over no new files
appear. This does not guarantee that aide will catch tampered log files,
but if that is the only thing someone tampers with, I am not really worried.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list