[Aide] Problem understanding aide.conf rules and subsequent AIDE behavior
Randy at work
randy.brown at noaa.gov
Sat May 6 01:36:20 EEST 2006
I did not do an init after making the change. I was changing the file
then running a check. I need to run an init after every change to
aide.conf? Steps as follows:
Change aide.conf
run aide --init
change /etc/passwd (for example)
run aide --check
?? Correct?
The logic is not sinkinginto my thick skull late on a Friday. :)
Randy
Richard van den Berg wrote:
>Randy Brown wrote:
>
>
>>That was my understanding too, but I'm sure not seeing that behavior.
>>Part of my rule set is as follows:
>>
>> / p+u+g
>> /usr L
>> /usr/local L
>> /boot R
>> /etc p+i+n+u+g+s+m
>>
>>As a test, I modified the /etc/passwd file. The mtime changed and the
>>size changed. AIDE turned up nothing when I ran aide --check. Then I
>>change the permissions on the /etc/password file and ran aide --check
>>again. It picked up the permission change, but never caught the mtime
>>or size change.
>>
>>
>
>I just tested this case with the aide 0.11, and it does catch the mtime
>and size change like it is expected to.
>
>Are you sure you did an --init after you changed the aide.conf file? If
>so, please change the /etc/passwd file again (touch should be enough)
>and send the output of "aide -V255 --check".
>
>Sincerely,
>
>Richard van den Berg
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20060505/3522447a/attachment-0001.html
More information about the Aide
mailing list