[Aide] Problem understanding aide.conf rules and subsequent AIDE behavior

Randy Brown Randy.Brown at noaa.gov
Fri May 5 20:10:06 EEST 2006 

That was my understanding too, but I'm sure not seeing that behavior.  
Part of my rule set is as follows:

    / p+u+g
   /usr L
   /usr/local L
   /boot R
   /etc p+i+n+u+g+s+m

As a test, I modified the /etc/passwd file.  The mtime changed and the 
size changed.  AIDE turned up nothing when I ran aide --check.  Then I 
change the permissions on the /etc/password file and ran aide --check 
again.  It picked up the permission change, but never caught the mtime 
or size change.

I thought is would be best to use:
/ R
as the first rule and then get more specific on the subdirectories as 
needed, and exclude the things I don't care to monitor.  The exclude 
rules seem to behave as expected, but the "include" rules don't seem to 
do what I think they are supposed to do.

Randy

jacob martinson wrote:
> The matching algorithm is described in the manual -
>
> http://www.cs.tut.fi/~rammer/aide/manual.html#config
>
> My understanding is that the deeper rule (/etc) would take precedence
> over the higher rule (/) and that the rules are not cumulative.  i.e.
> /etc will only get the attributes monitored that you list on the /etc
> line.
>
>
>
> On 5/5/06, Randy Brown <Randy.Brown at noaa.gov> wrote:
>   
>> I recently install aide-0.11 and am currently testing it for our
>> application.  Something that is confusing me though is how the rules are
>> applied and if they supercede the previous rule.  For example, if I use
>> the rules in aide.conf:
>>
>> / p+u+g
>> /etc p+u+g+m+i+s
>>
>> Does the first rule take precedent so that the m, i, and s, switches are
>> ignored for /etc?  OR, if I use:
>>
>> / R+a
>> /etc p+u+g+s
>>
>> do the m, c, and md5 (as well as others included with R) still apply to
>> files in /etc?
>>
>> Can I use something like:
>>
>> / R+a
>> /etc -m-c-md5
>> to have it not track that data for files in /etc but still track
>> permissions, user, group, etc?
>>
>> Any assistance in clarifying my understanding would be greatly appreciated.
>>
>> Thanks,
>>
>> Randy
>>
>>
>> _______________________________________________
>> Aide mailing list
>> Aide at cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
>>
>>
>>
>>     
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20060505/90116e7a/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: randy.brown.vcf
Type: text/x-vcard
Size: 332 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060505/90116e7a/randy.brown.vcf

More information about the Aide mailing list