Hi, the aide documentation says in many places that if somebody excludes a file mask (such as /var/log/syslog.[0-9]+), a bad guy might create a directory /var/log/syslog.999 to hide his rootkit without being detected by aide.
_This_ could easily be remedied by having a directive that says "ignore any files that match this regexp, but list any directories that match this regexp". How about implementing this in aide? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
