Marc Haber wrote: > If a backdoor was added to the system, aide would complain about the > changed file, and the database would not be updated.
Are you planning to implement this logic yourself? Aide when run with --update will always update the database, reporting the differences found. So the danger is that if you miss that 1 report about the changes, you are screwed. With the current situation, aide will report the differences every time until an administrator manually updates the database (and of course checks the output to make sure no malicious updates were committed to the aide.db). > So you instead recommend excluding all possible log file names from > the aide database completely? Add them, but don't do strict checks. I use the L (p+i+n+u+g) rule for log directories. Since my system has been running for a looong time, all my log files have been created, and as they turn over no new files appear. This does not guarantee that aide will catch tampered log files, but if that is the only thing someone tampers with, I am not really worried. Sincerely, Richard van den Berg _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
