[Aide] Problem understanding aide.conf rules and subsequent AIDE behavior
Richard van den Berg
richard at vdberg.org
Sat May 6 10:35:24 EEST 2006
Randy at work wrote:
> I did not do an init after making the change. I was changing the file
> then running a check. I need to run an init after every change to
> aide.conf? Steps as follows:
>
> Change aide.conf
> run aide --init
> change /etc/passwd (for example)
> run aide --check
Actually, the complete set of steps are:
1. Change aide.conf
2. Run aide --init
3. Rename aide.db.new to aide.db
4. Change /etc/passwd
5. Run aide --check
The reason for this is simple. When you first have an aide.conf with just
/ p+u+g
Then later on you decide to add
/etc p+i+n+u+g+s+m
If you do not do a new --init then the i+n+s+m attributes for
/etc/passwd are not in the database. As a result, aide could miss them
as changed. Although, with my test aide 0.11 did flag the changes in
this example.
Instead of --init you can also use --update if you already did an --init
once before. This way you can make sure that you are only updating
attributes as a result from changes you made to the aide.conf and not
other changes perhaps made by an intruder.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list