[Aide] aide 0.11 is generating a VERY large database.
Adam Funk
a24061 at yahoo.com
Tue Feb 13 22:05:51 EET 2007
On 2007-02-05, Marc Haber wrote:
>> RotatedLogs = Full+I
>
> I means, according to man aide.conf, "ignore changed filename".
>
> The normal Log rules do the following:
>
> As long as logs are not rotated, aide does not report anything. When
> logs are first rotated, aide reports a size change in mainlog,
> "everything changed" in mainlog.1, and "New" for mainlog.2.gz. When
> one now updates the aide database, everything is fine again.
>
> The "New" entry eventually vanishes when logrotate starts deleting old
> logs.
>
> I am currently unsure about how to solve this; any more relaxed rule
> would allow an attacker to place her root kit into the log directory.
> And it is kind of beyond aide's scope to notice that mainlog.1 is the
> same file with its contents compressed to mainlog.2.gz.
Does Full+I correctly handle the rotation of mainlog.2.gz to
mainlog.3.gz? And is that because the inode is the same, or the
hashes of the contents are the same? (I thought --- but I could be
wrong again! --- that logrotate changed the inode as well as the
filename.)
> On my systems, I have log rotation configured to be triggered by size,
> not by date, which allows logs to stay unrotated for a couple of days,
> after which I visit the system and update the aide database.
Hmm, not a bad idea --- but that does involve overriding all the
default logrotate configurations, right?
More information about the Aide
mailing list