[Aide] 0.11rc2 observations

Vincent Danen vdanen at linsec.ca
Sun Jan 22 19:08:01 EET 2006


* Richard van den Berg <richard at vdberg.org> [2006-01-22 12:19:26 +0000]:

> > Another question I had, and this is more of a design question than
> > anything.  Why does aide make comparisons against the life filesystem?
> > Or, rather, why does it update from the live filesystem.  It looks to me
> > like --init is functionally equivalent to --update except for the report
> > of differences at the end.
> 
> Very true, and --check and --update are the same except that the update
> also creates aide.db.new. The Debian aide package uses --update for all
> checks. Since aide never overwrites the original databases (but rather
> creates a new one), it is left to the administrator to see what output
> --update produces (i.e. what has changed), and then manually replace the
> aide.db with the aide.db.new. The next run of aide will then report any
> changes made since the last run. You can adopt this strategy if you like it.

Well, what I'm aiming to do is have a cronjob set every day to run
--check.  That way the admin can look to see if they want to update the
database.  Also, for Annvix, I'm going to enforce the usage of a
detached gpg signature (well, as far as the cronjob and scripts go) so
having --update run as a cron job won't work in those circumstances
because the admin will need to provide their gpg passphrase.

But I see what you mean (and, again in the other message) about no
window of opportunity... I came to that same conclusion myself after
testing (seeing as how it immediately reports the new aide.db as being
changed, which is good).  I think having --check run daily so the admin
can see what's going on is good, and then when they want to update the
db (new package installs, etc.) then they can run --update themself.

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060122/8a5cf486/attachment.bin


More information about the Aide mailing list