[Aide] aide 0.11 is generating a VERY large database.

Bob Proulx bob at proulx.com
Thu Nov 23 23:01:44 EET 2006 

Adam Funk wrote:
> On the machine still running 0.10-11, the database is 1.7MB
> compressed, with 37049 files.  The daily run takes 2 minutes.
> 
> On the machine running aide 0.11a-4, I'm now down to a 97MB
> uncompressed database, with 327313 files (according to aide.log).  The
> daily run takes 44 minutes.

You must be scanning a lot more files with the new version.

> I'm not bothered about the disk space, and I'm getting the numbers of
> daily added, removed and changed files down a bit --- but do those
> figures seem highly abnormal to you?

Abnormal?  That depends.  If it is scanning the files I want it to
scan then no.  But if it is not, and in your case it seems that you
don't want it to scan as many files, then for you the answer seems to
be yes.

Examine the list of files that it is scanning.  Are there files there
that are in the new version that are not in the old version?  Do you
want to trim those down?  Add them to the exclude list.

What does this say?

  grep -c '^/' /var/lib/aide.db

Look at the list of files that are being scanned.  I find it easier to
trim off the extra stuff of the database and look just at the list of
filenames.

  awk '{print$1}' /var/lib/aide/aide.db | less

Every file will take up a certain amount of time to scan.  If you are
scanning more files now than before that would explain why it is
taking longer with a bigger database.  Look the list over from both
versions and see which are which.  If you still have the old database
available then you can compare them and see which files are the same
or different in each.

  awk '{print$1}' aide.db.old | sort > /tmp/filelist.old
  awk '{print$1}' aide.db.new | sort > /tmp/filelist.new
  comm /tmp/filelist.old /tmp/filelist.new | less

Note that the files must be sorted for comm to be able to compare them.

> Also, is it inadvisable to exclude /tmp/ and /var/log/ from aide since
> they have a lot of files that change every day anyway?

I exclude those.  I also exclude other files.

  !/home
  !/root/.bash_history$
  !/root/.htoprc$
  !/tmp
  !/usr/local
  !/usr/share/doc
  !/var/cache
  !/var/lib
  !/var/lock
  !/var/mail
  !/var/run
  !/var/spool
  !/var/tmp

Bob

More information about the Aide mailing list