[Aide] Problem understanding aide.conf rules and subsequent AIDE behavior

[Randy Brown]

Thanks!  I'll be playing with this more today.  I was not running the 
init or update after making changes.  That makes perfect sense. 

Thanks again for the quick and complete responses. 

Regards,
Randy

Richard van den Berg wrote:
> Randy at work wrote:
>   
>> I did not do an init after making the change. I was changing the file
>> then running a check.  I need to run an init after every change to
>> aide.conf?   Steps as follows:
>>
>> Change aide.conf
>> run aide --init
>> change /etc/passwd (for example)
>> run aide --check
>>     
>
> Actually, the complete set of steps are:
>
> 1. Change aide.conf
> 2. Run aide --init
> 3. Rename aide.db.new to aide.db
> 4. Change /etc/passwd
> 5. Run aide --check
>
> The reason for this is simple. When you first have an aide.conf with just
>
> / p+u+g
>
> Then later on you decide to add
>
> /etc p+i+n+u+g+s+m
>
> If you do not do a new --init then the i+n+s+m attributes for
> /etc/passwd are not in the database. As a result, aide could miss them
> as changed. Although, with my test aide 0.11 did flag the changes in
> this example.
>
> Instead of --init you can also use --update if you already did an --init
> once before. This way you can make sure that you are only updating
> attributes as a result from changes you made to the aide.conf and not
> other changes perhaps made by an intruder.
>
> Sincerely,
>
> Richard van den Berg
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20060508/41da615c/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: randy.brown.vcf
Type: text/x-vcard
Size: 332 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060508/41da615c/randy.brown.vcf