[Aide] AIDE configuration taking too long
Mason Nakadomari
nakadoma at hawaii.edu
Thu Aug 29 20:21:17 EEST 2013
Thanks the goal is monitor everything but to tailor it to the files and
system. So we fully intended to only monitor things like permissions for
files that change a lot or things like /dev. But we didn't think that
looking at them at all would cause such a hang up. We are even trying to
scan using only a few basic parameters like u+p. That is good advice and we
are trying to tailor it so everything is monitored but that it doesn't pick
up on useless info. That is part of what I am trying to tweak with this.
Thanks very much for the advice. Is it impossible to scan /dev /sys and
/proc even with very basic parameters like u+p+i?
On Aug 28, 2013 3:48 PM, "Keith Constable" <kccricket at gmail.com> wrote:
> On 28 Aug 2013, at 9:37 PM, Mason Nakadomari <nakadoma at hawaii.edu> wrote:
>
> Thank you for the response. I am running aide.init. Yeah we thought it was
> strange given its only 50 gigs in root. I'll try that. We feel that it must
> be getting stuck somewhere. But even running on different machines doesn't
> work.
>
>
> Mason,
>
> It just occurred to me that since you did not tell it not to, aide may be
> attempting to generate a hash for one of the never ending files in /dev
> like /dev/zero or /dev/random. I'm not certain it will do that, as I've
> never tried, but it seems likely. I doubt it treats "special" files any
> differently than regular ones. Dhr. van den Berg could tell you more than I
> about that.
>
> In addition, prepare for some unbidden advice. Whether you heed it or not
> is not my concern, but I would be remiss not to try. Your plan to monitor
> every change in the entire filesystem may not necessarily improve your
> security. Be careful not to include so many frequently changing files that
> it generates a report that's too long. You're more likely to miss that one
> important change if you have to sift through a mountain of unimportant ones.
>
> Regards,
>
> Keith Constable
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130829/c46908da/attachment.html
More information about the Aide
mailing list