[Aide] Once more, questions about ANF/ARF

Richard van den Berg richard at vdberg.org
Mon Feb 20 14:28:40 EET 2006


Marc Haber wrote:
> If a backdoor was added to the system, aide would complain about the
> changed file, and the database would not be updated.

Are you planning to implement this logic yourself? Aide when run with 
--update will always update the database, reporting the differences 
found. So the danger is that if you miss that 1 report about the 
changes, you are screwed. With the current situation, aide will report 
the differences every time until an administrator manually updates the 
database (and of course checks the output to make sure no malicious 
updates were committed to the aide.db).

> So you instead recommend excluding all possible log file names from
> the aide database completely?

Add them, but don't do strict checks. I use the L (p+i+n+u+g) rule for 
log directories. Since my system has been running for a looong time, all 
my log files have been created, and as they turn over no new files 
appear. This does not guarantee that aide will catch tampered log files, 
but if that is the only thing someone tampers with, I am not really worried.

Sincerely,

Richard van den Berg


More information about the Aide mailing list