[Aide] AIDE has output even when there are no changes

fuser9bb at hotpop.com fuser9bb at hotpop.com
Sat Apr 23 00:53:50 EEST 2005 

At various sites I've worked we could get a lot more. I do prefer the 
UNIX concept of not making noise unless there is a reason to do so. 
That's what 'verbose' is for. As far as knowing it "is working", as 
stated earlier, an attacker could easily mimic a "All is Okay" report. 
Anyway, just a matter of opinion.

Thanks.

Thistle, Scott wrote:

>I am all for the daily emails. At least you know it is working. We have
>the report sent to our reporting server which analyses the email and
>updates a webpage that is monitored 24/7. Simple enough. We can easily
>see the red flags on the web page for servers that have not checked in,
>late checking in or those that did check in with issues.  We also run
>AIDE twice daily on all our servers (we host a data center and get 100+
>reports). Keep up the awesome work :)
>
>-----Original Message-----
>From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf
>Of fuser9bb at hotpop.com
>Sent: Friday, April 22, 2005 10:18 AM
>To: aide at cs.tut.fi
>Subject: Re: [Aide] AIDE has output even when there are no changes
>
>I would argue against that design decision. Given that most people will 
>run AIDE daily, and many on multiple machines, then daily reports become
>
>noise. After a while sysadmins will simply ignore AIDE reports. This 
>goes for any tool that runs on a regular basis. As far as any benefit 
>from having AIDE report that it is "alive" with these messages, the 
>reports can be easily reproduced by an attacker regardless.
>
>Just my thoughts on the subject.
>
>Great software and thanks for the hard work!
>
>Richard van den Berg wrote:
>
>  
>
>>fuser9bb at hotpop.com wrote:
>> 
>>
>>    
>>
>>>I am using AIDE 0.10 on FreeBSD 4.9.
>>>
>>>Perhaps I'm missing something in the configuration, but AIDE appears
>>>      
>>>
>to
>  
>
>>>print output even if there are no differences on the filesystem. I
>>>assume this is something I have done wrong. Most UNIX tools won't
>>>      
>>>
>output
>  
>
>>>anything unless there is something not right, e.g., a change in the
>>>filesystem.
>>>
>>>Is this on purpose?
>>>   
>>>
>>>      
>>>
>>Yes it is. At the time, we felt that aide checking the filesystem is a
>>too important task to not output anything at all when it succeeds. If
>>you use the CVS version --verbose=4 and lower will cause aide be silent
>>as expected. (This is a bug in aide 0.10.)
>>
>>Sincerely,
>>
>>Richard van den Berg
>> 
>>
>>    
>>
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>  
>

More information about the Aide mailing list