[Aide] aide.conf rule ordering

Sonixxfx sonixxfx at gmail.com
Thu Dec 20 12:15:28 EET 2007 

Is it true that with a rule like this one:

/var/lib$ u+g

no recursion occurs, and that adding = will not influence the rule?

like this:

=/var/lib$ u+g


Thanks.

Ben


2007/12/19, Sonixxfx <sonixxfx at gmail.com>:
> Thanks Rami :)
>
> 2007/12/18, Rami Lehti <Rami.Lehti at sun.com>:
> > You are correct.
> > You should however use more exact rules when matching specific
> > filenames. Notice the escaped . and the $
> >
> > For example:
> > /etc/init\.d/ifupdown$ u
> > /etc/init\.d/ifupdown-clean$ u+g+p+md5
> >
> > This is especially true with exclusion rules.
> > For example:
> > !/some/annoying_file_that_keeps_changing
> >
> > will make sure that you don't find the root kit lurking in
> > /some/annoying_file_that_keeps_changing_9378634/
> >
> > Good Yule everyone!
> >
> > Rami
> >
> >
> > Sonixxfx wrote:
> > > Thanks Richard.
> > >
> > > This makes it more clear.
> > >
> > > So if I understand it right, in the following example the first rule
> > > is used for both /etc/init.d/ifupdown and /etc/init.d/ifupdown-clean,
> > > and the second rule is not used at all. Am I right?
> > >
> > >
> > > /etc/init.d/ifupdown u
> > > /etc/init.d/ifupdown-clean u+g+p+md5
> > >
> > >
> > > Ben
> > >
> > >
> > >
> > > 2007/12/18, Richard van den Berg <richard at vdberg.org>:
> > >> Sonixxfx wrote:
> > >>> Hi,
> > >>>
> > >>> I am trying to understand how aide handles rules. I have read the
> > >>> documentation, but I still don't understand it.
> > >>>
> > >>> Can someone tell me why the ordering of the rules in aide.conf matter,
> > >>> and maybe give an example (or some ;)) to clarify it?
> > >>>
> > >> It's all in the manual in the section "Understanding AIDE rule matching":
> > >>
> > >> Aide uses a deepest-match algorithm to find the tree node to search, but
> > >> a first-match algorithm inside the node.
> > >>
> > >> You can think of a node in the search tree as a directory. So aide will
> > >> find the deepest directory that has rules defined for it to search for a
> > >> match, but from all rules defined on that level (inside that specific
> > >> directory) it takes the first rule that matches.
> > >>
> > >> If this is unclear to you, please ask more specific questions and maybe
> > >> give an example (or some) of things you have tried but do not understand.
> > >>
> > >> Sincerely,
> > >>
> > >> Richard van den Berg
> > >>
> > >> _______________________________________________
> > >> Aide mailing list
> > >> Aide at cs.tut.fi
> > >> https://mailman.cs.tut.fi/mailman/listinfo/aide
> > >>
> > > _______________________________________________
> > > Aide mailing list
> > > Aide at cs.tut.fi
> > > https://mailman.cs.tut.fi/mailman/listinfo/aide
> > _______________________________________________
> > Aide mailing list
> > Aide at cs.tut.fi
> > https://mailman.cs.tut.fi/mailman/listinfo/aide
> >
>

More information about the Aide mailing list