[Aide] rules questions
Richard van den Berg
richard at vdberg.org
Sat Sep 7 10:15:27 EEST 2013
There is no specific rule for /var/lib/locate in your config.
Are you sure the @@ifhost matches? Take this out while testing.
> Looking this over and running the scan this doesn't seem to be working. It doesn't seem to be targeting the specific rules such as /var/lib/locate and then scanning everything else with the broader rule / customtest1. I'm confused. Am I misunderstanding the documentation on this? Please advise.
>
> On Sep 6, 2013 6:36 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:
>> Hi any help or confirmation would be appreciated. Thank you for your time thanks.
>>
>> On Sep 5, 2013 11:15 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:
>>>
>>> I've looking over the manual and I wanted to check if my understanding s correct. my understanding is that if I want to search individual directories with a less general rule like CUSTOMTEST6 but still scan everything else using a general rule like CUSTOMTEST1 that I would use something like the below.
>>> CUSTOMTEST5 = p+u+g+acl+selinux
>>> CUSTOMTEST6 = L
>>> CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
>>> @@ifhost aid70
>>> =/var/log$ CUSTOMTEST6
>>> /var/log/.* CUSTOMTEST5
>>> /var/spool/.* CUSTOMTEST5
>>> /var/lib/mlocate$ CUSTOMTEST6
>>> /var/lib/mlocate/mlocate.db$ CUSTOMTEST5
>>> /var/lib/rpm/__db.00* CUSTOMTEST6
>>> /var/lib/logrotate.status$ CUSTOMTEST6
>>> /var/lib/readahead/early.sorted$ CUSTOMTEST6
>>> / CUSTOMTEST1
>>> !/var/tmp/.*
>>> !/tmp/.*
>>> !/sys/.*
>>> !/dev/.*
>>> !/proc/.*
>>> @@endif
>>>
>>> I looked at a lot of examples and this is what I came up with. Is this not correct. I've also been playing around with more specific and drawn out rules but I wanted something as simple as possible so others can edit and add new rules.
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/0471e7f8/attachment.html
More information about the Aide
mailing list