[Aide] aide 0.11 is generating a VERY large database.
Bob Hutchinson
hutchlists at midwales.com
Mon Feb 5 17:34:54 EET 2007
On Monday 05 February 2007 12:23, Marc Haber wrote:
> On Mon, Feb 05, 2007 at 10:48:02AM +0000, Adam Funk wrote:
> > Would you also be surprised if I said that my daily report (without
> > some of the more radical exclusions such as "!/var/log") *always*
> > contained several dozen changed files?
>
> Yes, this is expected since you probaby use different packages than I
> do. I would appreciate if you could write rules for them and submit
> them.
>
> > Would you consider that normal on your systems?
>
> No, a normal report should be empty: "All files match AIDE database".
>
> I have not yet solved the challenge of logs that were rotated.
I use rules like this:
!/var/log/messages(.[0-9])?(.gz)?
!/var/log/mail.(log|error|info|warn)(.[0-9])?(.gz)?
!/var/log/kern.log(.[0-9])?(.gz)?
and so on, one for each log
This is on Debian Sarge, using aide version 0.10-6.1sa debian package
Probably quite old but it works well and only takes a few minutes to run,
making running it hourly viable.
Daily is not often enough for my taste, I need to know ASAP if someone has
hacked their way in. :|
HTH
--
-----------------
Bob Hutchinson
Midwales dot com
-----------------
More information about the Aide
mailing list