[Aide] rules questions

Mason Nakadomari nakadoma at hawaii.edu
Sat Sep 7 07:11:28 EEST 2013


Looking this over and running the scan this doesn't seem to be working. It
doesn't seem to be targeting the specific rules such as /var/lib/locate and
then scanning everything else with the broader rule / customtest1. I'm
confused. Am I misunderstanding the documentation on this? Please advise.
On Sep 6, 2013 6:36 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:

> Hi any help or confirmation would be appreciated. Thank you for your time
> thanks.
> On Sep 5, 2013 11:15 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:
>
>>
>> I've looking over the manual and I wanted to check if my understanding s
>> correct. my understanding is that if I want to search individual
>> directories with a less general rule like CUSTOMTEST6 but still scan
>> everything else using a general rule like CUSTOMTEST1 that I would use
>> something like the below.
>> CUSTOMTEST5 = p+u+g+acl+selinux
>> CUSTOMTEST6 = L
>> CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
>> @@ifhost aid70
>> =/var/log$ CUSTOMTEST6
>> /var/log/.* CUSTOMTEST5
>> /var/spool/.* CUSTOMTEST5
>> /var/lib/mlocate$ CUSTOMTEST6
>> /var/lib/mlocate/mlocate.db$ CUSTOMTEST5
>> /var/lib/rpm/__db.00* CUSTOMTEST6
>> /var/lib/logrotate.status$ CUSTOMTEST6
>> /var/lib/readahead/early.sorted$ CUSTOMTEST6
>> / CUSTOMTEST1
>> !/var/tmp/.*
>> !/tmp/.*
>> !/sys/.*
>> !/dev/.*
>> !/proc/.*
>> @@endif
>>
>> I looked at a lot of examples and this is what I came up with. Is this
>> not correct. I've also been playing around with more specific and drawn out
>> rules but I wanted something as simple as possible so others can edit and
>> add new rules.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130906/560567d6/attachment-0001.html 


More information about the Aide mailing list