[Aide] Renaming aide.db.new cause false positives
Keith Constable
kccricket at gmail.com
Tue May 12 16:09:58 EEST 2015
On Saturday, May 9, 2015, Nikhil Sole <nsole at hotmail.com> wrote:
> Thanks Marc,
>
> I had ended up ignoring these two files:
> !/var/lib/aide/aide.db
> !/var/lib/aide/aide.db.new
>
> But I think your suggestion of adding custom rules for these two files
> seems like a better approach.
>
> Thanks,
> Nikhil
>
Nikhil,
Bear in mind that those rules negate AIDE's ability to detect changes that
an intruder might make. All the intruder has to do is generate a new
aide.db to cover his tracks.
On the other hand, if your only concern is data integrity, without
intrusion detection, then carry on.
Regards,
Keith Constable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.cs.tut.fi/pipermail/aide/attachments/20150512/f5d146b6/attachment.html>
More information about the Aide
mailing list