[Aide] 0.11rc2 observations

Vincent Danen vdanen at linsec.ca
Fri Jan 20 22:11:46 EET 2006 

Hi there, I'm using aide for the first time since 0.8 or so... it's nice
to see some active development!  BTW, is there an ETA for when 0.11 is
coming out?  I'm using 0.11-rc2 now (well, evaluating) and plan to
replace tripwire with aide in Annvix (a secure-server Linux distro).

Anyways, I have a few questions.  I see that aide complains when "c" and
"I" are used, but this seems to extend to "c" and "i" as well as is seen
here:

[root at surtr etc]# aide --init
Rule at line 196 has c and I flags enabled at the same time. If same inode is found, flag c is ignored

Now, this is fine, but when looking at this rule, I have the "All" rule
which is:

All=R+a+sha1+rmd160

looking at the definition for "R" didn't help very much because:

#R:             p+i+n+u+g+s+m+c+md5

In fact, "I" isn't noted even in the configuration file (aide.conf.in) I
had to look at the source to see what it was (I had assumed it was
the same as "i").  It looks, by the description, to be slightly
different, but I'm not sure based on this code in commandconf.c:

  if((attr&DB_INODE||attr&DB_CHECKINODE) && (check_dboo(db_inode)!=RETFAIL)){
    conf->db_out_order[conf->db_out_size++]=db_inode;
  }

This makes me think that "I" and "i" are identical when it comes to the
configuration parser, but are they *really* identical in function?  If
so, why have both "i" and "I"?  Why not just "i"?

The reason I wonder is because in aide.c I see:

  do_groupdef("R",DB_PERM|DB_INODE|DB_LNKCOUNT|DB_UID|DB_GID|DB_SIZE|
                DB_MTIME|DB_CTIME|DB_MD5);

Clearly DB_CHECKINODE (or "I") isn't in there at all, so I, really,
shouldn't be seeing the error message at all, right?

I'm not a C programmer; I just know enough to hack things around so I
might be really wrong with this, but this is how I'm interpretting
things... =)

I'm just re-evaluating AIDE after many long years, so I may have more
questions/comments/etc. later on.  Oh, one question.  Is having the
database file gzipped cause any performance problems?  I don't think
space is really a concern, but if having the db's gzipped causes a
significant performance penalty, I'd rather leave them uncompressed.

Thanks!

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060120/2541ede4/attachment.bin

More information about the Aide mailing list