[Aide] rules questions

Mason Nakadomari nakadoma at hawaii.edu
Sun Sep 8 05:44:56 EEST 2013 

Hi Richard thanks that is what I'm basing my rules on. Its just that I
wanted to make sure my understanding is correct. So /var/lib/locate will be
checked with customtest6 rules not customtest1 correct? Thanks sorry just
making sure.
On Sep 6, 2013 9:30 PM, "Richard van den Berg" <richard at vdberg.org> wrote:

> Your config looks fine in general.
> http://www.cs.tut.fi/~rammer/aide/manual.html#config explains all there
> is the know about the config rules.
>
> /var/lib/mlocate is the rule sorry I made a typo. I apologize. But am I
> correct in my understanding of how aide works? Thank you very much.
> On Sep 6, 2013 9:15 PM, "Richard van den Berg" <richard at vdberg.org> wrote:
>
>> There is no specific rule for /var/lib/locate in your config.
>>
>> Are you sure the @@ifhost matches? Take this out while testing.
>>
>> Looking this over and running the scan this doesn't seem to be working.
>> It doesn't seem to be targeting the specific rules such as /var/lib/locate
>> and then scanning everything else with the broader rule / customtest1. I'm
>> confused. Am I misunderstanding the documentation on this? Please advise.
>> On Sep 6, 2013 6:36 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:
>>
>>> Hi any help or confirmation would be appreciated. Thank you for your
>>> time thanks.
>>> On Sep 5, 2013 11:15 AM, "Mason Nakadomari" <nakadoma at hawaii.edu> wrote:
>>>
>>>>
>>>> I've looking over the manual and I wanted to check if my understanding
>>>> s correct. my understanding is that if I want to search individual
>>>> directories with a less general rule like CUSTOMTEST6 but still scan
>>>> everything else using a general rule like CUSTOMTEST1 that I would use
>>>> something like the below.
>>>> CUSTOMTEST5 = p+u+g+acl+selinux
>>>> CUSTOMTEST6 = L
>>>> CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
>>>> @@ifhost aid70
>>>> =/var/log$ CUSTOMTEST6
>>>> /var/log/.* CUSTOMTEST5
>>>> /var/spool/.* CUSTOMTEST5
>>>> /var/lib/mlocate$ CUSTOMTEST6
>>>> /var/lib/mlocate/mlocate.db$ CUSTOMTEST5
>>>> /var/lib/rpm/__db.00* CUSTOMTEST6
>>>> /var/lib/logrotate.status$ CUSTOMTEST6
>>>> /var/lib/readahead/early.sorted$ CUSTOMTEST6
>>>> / CUSTOMTEST1
>>>> !/var/tmp/.*
>>>> !/tmp/.*
>>>> !/sys/.*
>>>> !/dev/.*
>>>> !/proc/.*
>>>> @@endif
>>>>
>>>> I looked at a lot of examples and this is what I came up with. Is this
>>>> not correct. I've also been playing around with more specific and drawn out
>>>> rules but I wanted something as simple as possible so others can edit and
>>>> add new rules.
>>>>
>>>  _______________________________________________
>> Aide mailing list
>> Aide at cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
>>
>> _______________________________________________
>> Aide mailing list
>> Aide at cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
>> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/eb91ea77/attachment-0001.html

More information about the Aide mailing list