Hi Richard thanks that is what I'm basing my rules on. Its just that I wanted to make sure my understanding is correct. So /var/lib/locate will be checked with customtest6 rules not customtest1 correct? Thanks sorry just making sure. On Sep 6, 2013 9:30 PM, "Richard van den Berg" <[email protected]> wrote:
> Your config looks fine in general. > http://www.cs.tut.fi/~rammer/aide/manual.html#config explains all there > is the know about the config rules. > > /var/lib/mlocate is the rule sorry I made a typo. I apologize. But am I > correct in my understanding of how aide works? Thank you very much. > On Sep 6, 2013 9:15 PM, "Richard van den Berg" <[email protected]> wrote: > >> There is no specific rule for /var/lib/locate in your config. >> >> Are you sure the @@ifhost matches? Take this out while testing. >> >> Looking this over and running the scan this doesn't seem to be working. >> It doesn't seem to be targeting the specific rules such as /var/lib/locate >> and then scanning everything else with the broader rule / customtest1. I'm >> confused. Am I misunderstanding the documentation on this? Please advise. >> On Sep 6, 2013 6:36 AM, "Mason Nakadomari" <[email protected]> wrote: >> >>> Hi any help or confirmation would be appreciated. Thank you for your >>> time thanks. >>> On Sep 5, 2013 11:15 AM, "Mason Nakadomari" <[email protected]> wrote: >>> >>>> >>>> I've looking over the manual and I wanted to check if my understanding >>>> s correct. my understanding is that if I want to search individual >>>> directories with a less general rule like CUSTOMTEST6 but still scan >>>> everything else using a general rule like CUSTOMTEST1 that I would use >>>> something like the below. >>>> CUSTOMTEST5 = p+u+g+acl+selinux >>>> CUSTOMTEST6 = L >>>> CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5 >>>> @@ifhost aid70 >>>> =/var/log$ CUSTOMTEST6 >>>> /var/log/.* CUSTOMTEST5 >>>> /var/spool/.* CUSTOMTEST5 >>>> /var/lib/mlocate$ CUSTOMTEST6 >>>> /var/lib/mlocate/mlocate.db$ CUSTOMTEST5 >>>> /var/lib/rpm/__db.00* CUSTOMTEST6 >>>> /var/lib/logrotate.status$ CUSTOMTEST6 >>>> /var/lib/readahead/early.sorted$ CUSTOMTEST6 >>>> / CUSTOMTEST1 >>>> !/var/tmp/.* >>>> !/tmp/.* >>>> !/sys/.* >>>> !/dev/.* >>>> !/proc/.* >>>> @@endif >>>> >>>> I looked at a lot of examples and this is what I came up with. Is this >>>> not correct. I've also been playing around with more specific and drawn out >>>> rules but I wanted something as simple as possible so others can edit and >>>> add new rules. >>>> >>> _______________________________________________ >> Aide mailing list >> [email protected] >> https://mailman.cs.tut.fi/mailman/listinfo/aide >> >> >> _______________________________________________ >> Aide mailing list >> [email protected] >> https://mailman.cs.tut.fi/mailman/listinfo/aide >> >> _______________________________________________ > Aide mailing list > [email protected] > https://mailman.cs.tut.fi/mailman/listinfo/aide > > > _______________________________________________ > Aide mailing list > [email protected] > https://mailman.cs.tut.fi/mailman/listinfo/aide > >
_______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
