[Aide] aide 0.11 is generating a VERY large database.

Marc Haber mh+aide at zugschlus.de
Thu Nov 9 19:44:09 EET 2006 

On Thu, Nov 09, 2006 at 02:28:09PM +0000, Adam Funk wrote:
> I recall having the same problem in Debian earlier this year, but
> temporarily resolved it by downgrading back to 0.10 since I was
> planning to get Ubuntu anyway.  But I'd like to sort this out
> properly.
> 
> I suppose the problem is that the new config files pick up too much
> stuff?  Can anyone tell me where or how to get a sensible
> configuration for aide 0.11?

Kindly read the docs that came with your package.

aide (0.11a-3) unstable; urgency=low

    Starting with aide 0.11a-2, aide's default configuration has been
    changed. Previously, AIDE did only superficial checks of the
    static parts of the file system. Now, the entire file system is
    included, and the changing parts of the file system are excluded
    from the check. We are changing from a "forbid all possibly
    dangerous changes" stance to a "allow only changes that we know
    are harmless" stance.

    Please note that this might significantly increase aide's
    execution times as we now check the whole file system by default.
    On systems with big, changing file systems (like shell servers or
    big ftp or web servers), you might want to exclude parts of the
    file system to bring execution times down to an acceptable level.
    This is not done in the default configuration since AIDE aims for
    maximum security by default, and big data directories are a
    preferred target for crackers to place their root kit binaries. An
    example rule file to exclude home directories of users with uid >=
    1000 is included in the package and might be put into use at the
    local admin's discretion.

    To allow better updateability, a split configuration scheme has
    been introduced with aide 0.10-5, which is now being put into use
    for the default configuration. /etc/aide.conf is reduced to
    default definitions, while the real work is being done in the
    configuration snippets in /etc/aide/aide.conf.d.

    The contents of /etc/aide/aide.conf.d has already been split to
    reflect which package contains the files that change too
    frequently to be part of a regular check. This allows moving these
    configuration snippets into the respective packages at a later
    time.

    You might want to accept all conffile changes that are offered
    with this update, or otherwise your AIDE will most probably stop
    working.

    The new rule sets in 0.11a-2 have been extensively tested on my
    productive systems. However, since my productive systems are all
    reasonably similar, the new rule sets may not be fully suitable
    for other people's systems. Please do not hesitate to file bugs
    against aide if your AIDE reports include excessive changes that
    should not be flagged as such. Don't forget to include
    configuration and report snippets that might help in devising the
    new rules. These bugs will be usertagged in the BTS with
    "2006-04-configuration" for aide at packages.debian.org.
    Chances are that you don't have all packages installed that are
    taken care of by AIDE's default configuration. That way, you might
    end up excluding more parts of the namespace than you would need
    for your system, but the AIDE protection is still working on a
    broader basis than it did with the old configuration. If you are
    paranoid, you might want to either delete the config snippets you
    don't use (ucf should notice that and not re-install the files on
    update) or create your own conf.d directory (like
    /etc/aide/aide.conf.local.d), symlink the snippets you want in
    there and point aide towards the new conf.d directory by setting
    UPAC_CONFD in /etc/default/aide. This last option is the way I
    have chosen for my personal systems.

    Package maintainers, if you intend to deliver your own aide.conf.d
    snippet in your package, please put your package name after the
    number (31_aide_foo => 31_foo_something) to avoid a namespace
    clash and file a bug against aide so indicate that aide can remove
    its config snippet. It does not hurt to have both installed, so
    there is no need to coordinate.

    The source package can optionally build a package aide-config-zg2,
    which contains rules that are probably only suitable on my
    systems. Of course, building of aide-config-zg2 is disabled by
    default.


Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Aide mailing list