[Aide] AIDE with inotify

[Mojo Nichols]

I run a separate cron against lastlog and if it changes I print that out 
and send via email to a couple of people. It runs very quickly so it 
would probably not be unreasonable to run it every minute.  I don't run 
it that often, so do your own testing.  The rest of it I run every night 
in a separate cron.   I didn't look to see if it possible to gain access 
with out tripping lastlog, my guess is yes it is possible.  It of course 
would be useless if the box legitimately has a lot of people logging in.

Regards

Mojo

Richard van den Berg wrote:
> Florian Engelhardt wrote:
>   
>> It looks like AIDE will check the files on the harddisk against the  
>> database periodically, which would be every hour for example.
>>     
>
> Aide will not do that automatically, but you can use cron to run it 
> periodically.
>
>   
>> What if  
>> a intruder breaks into the system 1 minute after the scan? He has 59  
>> Minutes to go befor the next scan, plenty of time to to stuff on my  
>> system, and enough time to maybe deactivate aide, or just regenerate  
>> the database.
>>   
>>     
>
> That's why the recommended setup is to store the aide database on a 
> read-only medium.
>
>   
>> My idea (and maybe someone else had this idea befor me) was, to catch  
>> filesystem modifications via inotify on linux (and other tools on  
>> other systems).
>>   
>>     
>
> Aide currently is not a daemon that can monitor inotify messages. Such a 
> daemon would be the first that is shut down when a skilled hacker breaks 
> into your system.
>
> Sincerely,
>
> Richard van den Berg
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>