On Sun, May 22, 2016 at 09:17:38AM +0100, Moss, Adam David wrote: > I have AIDE running under CentOS and an getting some noise in the output. > Can you please advise what would be the best modification to take in > /etc/aide/aide.conf to resolve this? > > I know I could just !/var/log/xxx but that doesn't seem like the "best" > answer.
It clearly is the easiest answer to get rid of all those messages one and for ever. It does, however, have the possibility that somebody will hide his root kit / exploit in /var/log/nginx/access.log-20160520.gz if you exclude it. Not having rotated logs trigger aide is one of the hardest tasks when building a scalable aide setup. You have already chosen wise by adopting a dateext rotation scheme where a log is written to, eventually renamed to logname-$DATE, eventually compressed and then never touched again. Managing this scheme is wildly easier than the old scheme with log => log.1 => log.2.gz => log.3.gz etc. It can be more easy if you don't rotate seldomly written log files daily but use logrotate's size option to rotate the log only when it has exceeded a certain size. I incidentally find this vastly easy to handle anyway. The ANF, ARF and > default groups do try to cater for your needs. You need, however, need to balance your configuration between "take the risk of people using your logs to hide in them, but no aide alerts" and "be informed when an archived log file changes but need to manually ACK each rotated log file". If you want to play with ANF, ARF, I would suggest to set up a test directory with a local logrotate which is more often rotated and aide runs in this test directory more often than daily as well, so that you decrease your trial-and-error turnaround time. I am afraid that this is no silver bullet and still places significant workload on you, but it's all that I have to offer at the moment. Feel free to ask additional questions if you want to. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
