[Aide] 0.11rc2 observations

[Vincent Danen]

* Vincent Danen <vdanen at linsec.ca> [2006-01-20 13:11:46 -0700]:

Another question I had, and this is more of a design question than
anything.  Why does aide make comparisons against the life filesystem?
Or, rather, why does it update from the live filesystem.  It looks to me
like --init is functionally equivalent to --update except for the report
of differences at the end.

The problem I have with this model is that it takes aide some time to
run, and there is a small window of opportunity between when you do,
say, a check and then an update.

For instance, if I run a cronjob at 4am to do a check, then run an
update at 10am to update my database.  Obviously it's not using my 4am
check to merge the differences to the database, right?

So the check just reports on the differences, but what I don't get is,
if I don't run another check immediately before my update, how will I
know what changed?  Something could have changed in those 6hrs and I'd
be completely unaware of it, run the update, and I've just merged that
"unauthorized" change into my database (assume a trojaned ls or
something).  I'm not going to see that in any report because it's using
the current filesystem to do the update, not the 4am snapshot.

Or am I missing something?  Am I too used to how tripwire works?  =)  I
guess some testing would let me know, but am I correct in assuming that
--check is nothing more than a report of the current time the check is
run and shouldn't be considered even remotely accurate when I try to run
an update later?

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060120/74c2f303/attachment.bin