[Aide] AIDE with inotify
Richard van den Berg
richard at vdberg.org
Wed Apr 30 13:59:48 EEST 2008
Florian Engelhardt wrote:
> It looks like AIDE will check the files on the harddisk against the
> database periodically, which would be every hour for example.
Aide will not do that automatically, but you can use cron to run it
periodically.
> What if
> a intruder breaks into the system 1 minute after the scan? He has 59
> Minutes to go befor the next scan, plenty of time to to stuff on my
> system, and enough time to maybe deactivate aide, or just regenerate
> the database.
>
That's why the recommended setup is to store the aide database on a
read-only medium.
> My idea (and maybe someone else had this idea befor me) was, to catch
> filesystem modifications via inotify on linux (and other tools on
> other systems).
>
Aide currently is not a daemon that can monitor inotify messages. Such a
daemon would be the first that is shut down when a skilled hacker breaks
into your system.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list