[Aide] Once more, questions about ANF/ARF

Marc Haber mh+aide at zugschlus.de
Mon Feb 20 15:09:32 EET 2006

On Mon, Feb 20, 2006 at 01:28:40PM +0100, Richard van den Berg wrote:
> Marc Haber wrote:
> > If a backdoor was added to the system, aide would complain about the
> > changed file, and the database would not be updated.
> Are you planning to implement this logic yourself? Aide when run with 
> --update will always update the database, reporting the differences 
> found.

aide --update will automatically create an aide.db.new and report
differences. Currently, manual intervention is required to copy
aide.db.new to aide.db.

I would like to have aide.db.new copied to aide.db automatically only
if no differences have been reported. This would be implemented in
Debian's daily cron job, no changes in aide itself required.

> So the danger is that if you miss that 1 report about the 
> changes, you are screwed. With the current situation, aide will report 
> the differences every time until an administrator manually updates the 
> database (and of course checks the output to make sure no malicious 
> updates were committed to the aide.db).

That will remain unchanged - the reference database would only be
written to if no reportable changes have been detected.

> > So you instead recommend excluding all possible log file names from
> > the aide database completely?
> Add them, but don't do strict checks. I use the L (p+i+n+u+g) rule for 
> log directories. Since my system has been running for a looong time, all 
> my log files have been created, and as they turn over no new files 
> appear.

That won't work if you keep logs indefinetely, a new file will appear
each day.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Aide mailing list