[Aide] 0.11rc2 observations
Vincent Danen
vdanen at linsec.ca
Sun Jan 22 19:08:01 EET 2006
* Richard van den Berg <richard at vdberg.org> [2006-01-22 12:19:26 +0000]:
> > Another question I had, and this is more of a design question than
> > anything. Why does aide make comparisons against the life filesystem?
> > Or, rather, why does it update from the live filesystem. It looks to me
> > like --init is functionally equivalent to --update except for the report
> > of differences at the end.
>
> Very true, and --check and --update are the same except that the update
> also creates aide.db.new. The Debian aide package uses --update for all
> checks. Since aide never overwrites the original databases (but rather
> creates a new one), it is left to the administrator to see what output
> --update produces (i.e. what has changed), and then manually replace the
> aide.db with the aide.db.new. The next run of aide will then report any
> changes made since the last run. You can adopt this strategy if you like it.
Well, what I'm aiming to do is have a cronjob set every day to run
--check. That way the admin can look to see if they want to update the
database. Also, for Annvix, I'm going to enforce the usage of a
detached gpg signature (well, as far as the cronjob and scripts go) so
having --update run as a cron job won't work in those circumstances
because the admin will need to provide their gpg passphrase.
But I see what you mean (and, again in the other message) about no
window of opportunity... I came to that same conclusion myself after
testing (seeing as how it immediately reports the new aide.db as being
changed, which is good). I think having --check run daily so the admin
can see what's going on is good, and then when they want to update the
db (new package installs, etc.) then they can run --update themself.
--
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060122/8a5cf486/attachment.bin
More information about the Aide
mailing list