[Aide] Intrusion report of directory files
oliver.k at bluewin.ch
oliver.k at bluewin.ch
Tue Jun 7 17:07:34 EEST 2011
Hi V
Here some examples how the directory names look like
/opt
/opt/install-test
/opt/install-live
/opt/install-
test/management
/opt/install-test/management/scripts
/opt/httpd
and so on. Unfortunately I can not make a qualified
conclusion about the depth of the path.
Do you have any idea?
Kind regards,
Oliver
----Ursprüngliche Nachricht----
Von: vavarachen at gmail.com
Datum: 06.06.2011 17:26
An: <oliver.k at bluewin.ch>
Kopie: <aide at cs.tut.fi>
Betreff: Re: Re:
[Aide] Intrusion report of directory files
You best bet would be to write a rule using regular expressions.
Also, if
majority of the directories are to be ignored, then consider
writing rules for the ones you want to monitor and ignore
the rest
("=/opt/app1$"). Take a look at
http://www.cs.tut.fi/~rammer/aide/manual.html#usage for some examples
and pitfalls to watch out for.
Can you share a
list of directories you are trying to include/exclude?
Maybe I can try to help write the reg-ex rule.
V
On Mon, Jun
6, 2011 at 10:01 AM, oliver.k at bluewin.ch
<oliver.k at bluewin.ch> wrote:
> Hi V
>
> Sorry, maybe I was not clear enough. I
have approximately 25 sub directories in /opt and looking for a rule to
> exclude that globally for /opt and not by
excluding each sub directory. Otherwise it's very unhandy.
>
> Kind regards,
>
> Oliver
>
> ----Ursprüngliche
Nachricht----
> Von: vavarachen at gmail.com
> Datum: 06.06.2011 15:48
> An: <oliver.k at bluewin.ch>,
> "Aide user
mailinglist"<aide at cs.tut.fi>
> Betreff: Re: [Aide] Intrusion report of directory files
>
> Try "!
>
/opt/SomeSoftware/tmp" without the quotes.
>
> V
>
> On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.
k at bluewin.
> ch> wrote:
>> Hi all
>>
>> I'm pretty new to AIDE and tried for a while to get along with the
configuration.
>>
>> I have
> made a rule like
>> this:
>>
>> RULE=p+i+n+u+g+s+m+md5
>>
>> and use this rule on the
directory path /opt
>>
>> /opt RULE
>>
>>
> My problem are some scripts
>> that write temporary files in the directory
somewhere in /opt/.../... and by this
> behavior it causes aide do report an
>> intrusion because of the mtime check.
Does anyone have an idea how I can solve
> that problem? I don't want to remove the
>> mtime check. My thoughts go to
the direction of excluding the mtime check
> for all directory files, is that possible?
>>
>>
>> Thank you for your
time and help
>>
>>
> _______________________________________________
>> Aide mailing list
>> Aide at cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
>
>
>
>
More information about the Aide
mailing list