[Aide] Problem understanding aide.conf rules and subsequent AIDE behavior
Richard van den Berg
richard at vdberg.org
Fri May 5 22:03:25 EEST 2006
Randy Brown wrote:
> That was my understanding too, but I'm sure not seeing that behavior.
> Part of my rule set is as follows:
>
> / p+u+g
> /usr L
> /usr/local L
> /boot R
> /etc p+i+n+u+g+s+m
>
> As a test, I modified the /etc/passwd file. The mtime changed and the
> size changed. AIDE turned up nothing when I ran aide --check. Then I
> change the permissions on the /etc/password file and ran aide --check
> again. It picked up the permission change, but never caught the mtime
> or size change.
I just tested this case with the aide 0.11, and it does catch the mtime
and size change like it is expected to.
Are you sure you did an --init after you changed the aide.conf file? If
so, please change the /etc/passwd file again (touch should be enough)
and send the output of "aide -V255 --check".
Sincerely,
Richard van den Berg
More information about the Aide
mailing list