[Aide] AIDE configuration taking too long

[Mason Nakadomari]

Hi everyone while the time is gotten down its still taking very long about
3 to 4 days to complete. I've been looking at the verbose reports but most
of it just shows the files being digested without really wha tmight be the
problem I can post but I'm not sure how useful it would be. My boss really
wants to scan as much files as possible and I need a reason not to scan
certain directories. I already filtered out the directories suggested just
/sys and /proc. However the scans still take 3 to 4 days to complete and
generate reports 143000 lines long. Is there anyway I can speed this up or
is cutting down on files the only way. Even on single thread should it
really take this long to complete a scan even with a million files it
shouldn't take this long should it? Is there anything I'm missing I should
cut out. I narrorwed out the always changing files of /var/log and
/var/spool only targeting certain files. But I'm not sure what else to cut
out. My boss is paranoid and wants as much of files checked as possible but
question the wisdom of checking in thousands of binaries of firmware files.
I know that a trojan could happen anywhere but I doubt even this would find
it easily. Any tips would be appreciated I'm sorry I just have no idea why
its taking so long. The file system is about 50 GB but at best we are
scanning 20 GB. Thanks any advice is appreciate. I'm sorry for the trouble.


On Wed, Sep 4, 2013 at 3:36 PM, Mason Nakadomari <nakadoma at hawaii.edu>wrote:

> Thank you very much I excluded the appropriate directories and I have
> gottent he time down considerably and actually completed a scan. Thanks
> very much for the help.
>
>
> On Mon, Sep 2, 2013 at 10:14 AM, Mason Nakadomari <nakadoma at hawaii.edu>wrote:
>
>> Thanks. I am running a verbose scan. I'm gonna check it out. I just
>> expected faster scans when I omitted certain directories. I'll go ahead and
>> display the output I encountered.
>>  On Sep 2, 2013 12:24 AM, "Christoph Wilke" <
>> chris at filmkreis.tu-darmstadt.de> wrote:
>>
>>>
>>> Hi,
>>>
>>> On Sun, 1 Sep 2013 23:47:02 -1000
>>> Mason Nakadomari <nakadoma at hawaii.edu> wrote:
>>>
>>> > I've removed /proc /dev /sys from my scans and even cutdown on
>>> /var/spool
>>> > and /var/log. However my scans are still taking more than 24 hours to
>>> > complete. Any other recommended configs. The aide manual gave hints but
>>> > nothing definite. Still having trouble completing an init. Sorry but
>>> I'm
>>> > getting frustrated. I suspect I'm doing this wrong somehow. All the
>>> checks
>>> > are done via a centralized server and it sshs into the desired host.
>>> Please
>>> > advise. I'm sorry if it seems like I don't know beans. I don't know
>>> aide
>>> > very well. Thanks.
>>>
>>> please run with -V231 or even -V255 as recommended by Keith Constable
>>> earlier
>>> in this thread.
>>> For example:
>>> aide -V231 --init
>>> or similar.
>>>
>>> This will help you to find the timeconsuming files.
>>>
>>> Best Regards
>>> Christoph Wilke
>>>
>>> > On Aug 29, 2013 12:27 PM, "Mason Nakadomari" <nakadoma at hawaii.edu>
>>> wrote:
>>> >
>>> > > I'm enacting some of your advice immediately thank you very much to
>>> the
>>> > > both of you. I'll let you know my progress. I know I'm a rookie at
>>> this but
>>> > > I appreciate the help.
>>>
>>> [...]
>>> _______________________________________________
>>> Aide mailing list
>>> Aide at cs.tut.fi
>>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/eac37631/attachment.html