[Aide] aide.conf rule ordering
Sonixxfx
sonixxfx at gmail.com
Wed Dec 19 16:31:48 EET 2007
Thanks Rami :)
2007/12/18, Rami Lehti <Rami.Lehti at sun.com>:
> You are correct.
> You should however use more exact rules when matching specific
> filenames. Notice the escaped . and the $
>
> For example:
> /etc/init\.d/ifupdown$ u
> /etc/init\.d/ifupdown-clean$ u+g+p+md5
>
> This is especially true with exclusion rules.
> For example:
> !/some/annoying_file_that_keeps_changing
>
> will make sure that you don't find the root kit lurking in
> /some/annoying_file_that_keeps_changing_9378634/
>
> Good Yule everyone!
>
> Rami
>
>
> Sonixxfx wrote:
> > Thanks Richard.
> >
> > This makes it more clear.
> >
> > So if I understand it right, in the following example the first rule
> > is used for both /etc/init.d/ifupdown and /etc/init.d/ifupdown-clean,
> > and the second rule is not used at all. Am I right?
> >
> >
> > /etc/init.d/ifupdown u
> > /etc/init.d/ifupdown-clean u+g+p+md5
> >
> >
> > Ben
> >
> >
> >
> > 2007/12/18, Richard van den Berg <richard at vdberg.org>:
> >> Sonixxfx wrote:
> >>> Hi,
> >>>
> >>> I am trying to understand how aide handles rules. I have read the
> >>> documentation, but I still don't understand it.
> >>>
> >>> Can someone tell me why the ordering of the rules in aide.conf matter,
> >>> and maybe give an example (or some ;)) to clarify it?
> >>>
> >> It's all in the manual in the section "Understanding AIDE rule matching":
> >>
> >> Aide uses a deepest-match algorithm to find the tree node to search, but
> >> a first-match algorithm inside the node.
> >>
> >> You can think of a node in the search tree as a directory. So aide will
> >> find the deepest directory that has rules defined for it to search for a
> >> match, but from all rules defined on that level (inside that specific
> >> directory) it takes the first rule that matches.
> >>
> >> If this is unclear to you, please ask more specific questions and maybe
> >> give an example (or some) of things you have tried but do not understand.
> >>
> >> Sincerely,
> >>
> >> Richard van den Berg
> >>
> >> _______________________________________________
> >> Aide mailing list
> >> Aide at cs.tut.fi
> >> https://mailman.cs.tut.fi/mailman/listinfo/aide
> >>
> > _______________________________________________
> > Aide mailing list
> > Aide at cs.tut.fi
> > https://mailman.cs.tut.fi/mailman/listinfo/aide
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
More information about the Aide
mailing list