[Aide] aide 0.11 is generating a VERY large database.
Adam Funk
a24061 at yahoo.com
Mon Feb 5 16:16:15 EET 2007
On 2007-02-05, Marc Haber wrote:
> On Mon, Feb 05, 2007 at 10:48:02AM +0000, Adam Funk wrote:
>> Would you also be surprised if I said that my daily report (without
>> some of the more radical exclusions such as "!/var/log") *always*
>> contained several dozen changed files?
>
> Yes, this is expected since you probaby use different packages than I
> do. I would appreciate if you could write rules for them and submit
> them.
OK, I'll try!
>> Would you consider that normal on your systems?
>
> No, a normal report should be empty: "All files match AIDE database".
>
> I have not yet solved the challenge of logs that were rotated.
That's the main issue that was bugging me. The recurring daily
changes usually included (for example):
/var/log/exim4/mainlog
/var/log/exim4/mainlog.1
/var/log/exim4/mainlog.2.gz
/var/log/exim4/mainlog.3.gz
purely because of log rotation. In /etc/aide.conf I find the rule
definition
RotatedLogs = Full+I
which (I think) expands to cover allmost all the properties, although
I don't know what "I" means. Perhaps a rule for permissions and
ownership only would be appropriate? That way the log files and their
directories would be catalogued in the database so any additional
(suspect) files would show up in the report, but the routine daily
changes wouldn't. What do you think?
More information about the Aide
mailing list