[Aide] Certain directories always reported

John Horne john.horne at plymouth.ac.uk
Fri Apr 13 16:46:51 EEST 2007 

Hello,

I have installed AIDE on to my FC6 PC. I used the Fedora Extras RPM
which is version 0.12.

I have a script running once per hour (via /etc/cron.hourly) which calls
aide. The aide.conf should detect any changes within, for example,
the /bin and /usr/bin directories. However, I am finding that certain
directories are always being marked as having changed. Part of the log
file shows:

=============================================
AIDE found differences between database and filesystem!!
Start timestamp: 2007-04-13 14:02:26

Summary:
  Total number of files:        1050
  Added files:                  0
  Removed files:                0
  Changed files:                4


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/sbin
changed: /usr/bin
changed: /sbin
changed: /bin

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
           

Directory: /usr/bin
  Mtime    : 2007-04-13 13:01:18               , 2007-04-13
14:01:18            
  Ctime    : 2007-04-13 13:01:18               , 2007-04-13 14:01:18


Directory: /sbin
  Mtime    : 2007-04-13 13:01:16               , 2007-04-13 14:01:16

  Ctime    : 2007-04-13 13:01:16               , 2007-04-13 14:01:16
=============================================


Similar changes are found for the /bin and /usr/sbin directories.
However, even if I remove the old database and re-initialise it. When
the script next runs it will report the directories as having changed.

The aide.conf contains:

=============================================
=/bin$                  DIR-c
/bin$                   NORMAL
=/usr/bin$              DIR-c
/usr/bin$               NORMAL
=/sbin$                 DIR-c
/sbin$                  NORMAL
=/usr/sbin$             DIR-c
/usr/sbin$              NORMAL
=============================================

Obviously, the above is only the relevant parts. The group definitions
are:

  NORMAL = R+b-md5+sha1+tiger
  DIR = L+c

'R' and 'L' are the supplied defaults. Since the directories themselves
equate to just 'L', and the definition of 'L' does not include the
mtime/ctime, I am at a loss as to why these are always being reported as
changing and why their value seems to coincide with the time when the
hourly script runs.

Anyone have any ideas about this?


Thanks,

John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: John.Horne at plymouth.ac.uk       Fax: +44 (0)1752 233839

More information about the Aide mailing list