[Aide] aide.conf rule ordering

Rami Lehti Rami.Lehti at Sun.COM
Tue Dec 18 13:53:17 EET 2007 

You are correct.
You should however use more exact rules when matching specific 
filenames. Notice the escaped . and the $

For example:
/etc/init\.d/ifupdown$ u
/etc/init\.d/ifupdown-clean$ u+g+p+md5

This is especially true with exclusion rules.
For example:
!/some/annoying_file_that_keeps_changing

will make sure that you don't find the root kit lurking in
/some/annoying_file_that_keeps_changing_9378634/

Good Yule everyone!

Rami


Sonixxfx wrote:
> Thanks Richard.
> 
> This makes it more clear.
> 
> So if I understand it right, in the following example the first rule
> is used for both /etc/init.d/ifupdown and /etc/init.d/ifupdown-clean,
> and the second rule is not used at all. Am I right?
> 
> 
> /etc/init.d/ifupdown u
> /etc/init.d/ifupdown-clean u+g+p+md5
> 
> 
> Ben
> 
> 
> 
> 2007/12/18, Richard van den Berg <richard at vdberg.org>:
>> Sonixxfx wrote:
>>> Hi,
>>>
>>> I am trying to understand how aide handles rules. I have read the
>>> documentation, but I still don't understand it.
>>>
>>> Can someone tell me why the ordering of the rules in aide.conf matter,
>>> and maybe give an example (or some ;)) to clarify it?
>>>
>> It's all in the manual in the section "Understanding AIDE rule matching":
>>
>> Aide uses a deepest-match algorithm to find the tree node to search, but
>> a first-match algorithm inside the node.
>>
>> You can think of a node in the search tree as a directory. So aide will
>> find the deepest directory that has rules defined for it to search for a
>> match, but from all rules defined on that level (inside that specific
>> directory) it takes the first rule that matches.
>>
>> If this is unclear to you, please ask more specific questions and maybe
>> give an example (or some) of things you have tried but do not understand.
>>
>> Sincerely,
>>
>> Richard van den Berg
>>
>> _______________________________________________
>> Aide mailing list
>> Aide at cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list