[Aide] aide 0.11 is generating a VERY large database.

[Marc Haber]

On Mon, Feb 05, 2007 at 02:16:15PM +0000, Adam Funk wrote:
> On 2007-02-05, Marc Haber wrote:
> > I have not yet solved the challenge of logs that were rotated.
> 
> That's the main issue that was bugging me.  The recurring daily
> changes usually included (for example):
> 
>   /var/log/exim4/mainlog
>   /var/log/exim4/mainlog.1
>   /var/log/exim4/mainlog.2.gz
>   /var/log/exim4/mainlog.3.gz
> 
> purely because of log rotation.  In /etc/aide.conf I find the rule
> definition
> 
>   RotatedLogs   = Full+I

I means, according to man aide.conf, "ignore changed filename".

The normal Log rules do the following:

As long as logs are not rotated, aide does not report anything. When
logs are first rotated, aide reports a size change in mainlog, 
"everything changed" in mainlog.1, and "New" for mainlog.2.gz. When
one now updates the aide database, everything is fine again.

The "New" entry eventually vanishes when logrotate starts deleting old
logs.

I am currently unsure about how to solve this; any more relaxed rule
would allow an attacker to place her root kit into the log directory.
And it is kind of beyond aide's scope to notice that mainlog.1 is the
same file with its contents compressed to mainlog.2.gz.

On my systems, I have log rotation configured to be triggered by size,
not by date, which allows logs to stay unrotated for a couple of days,
after which I visit the system and update the aide database.

I'll probably move the log rules to configurable scripted rules where
the local admin can choose whether to exclude logs completely in some
later versions of the aide package.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835