On Thu, Jul 22, 2004 at 11:49:26PM +0200, Ralf Hildebrandt wrote: > I think certain directories should be (by default) excluded from AIDE or > have specific rules applied to them. To name quite a few: > > removed:/var/log/ntpstats/loopstats.20040709.gz > changes in /var/log/ntpstats are notmale when NTP is running > > changed:/var/log/syslog.5.gz > changed:/var/log/syslog.3.gz > changed:/var/log/syslog.6.gz > changed:/var/log/daemon.log.0 > this one may be a bit tricky due to the logfile rotation, but maybe a > change in archived logfiles should not be detected.
Later aide versions allow other packages to bring their own rule extensions and put them into /etc/aide/aide.conf.d. So, the exceptions for /var/log/ntpstats could come with the ntp server package, and the exceptions for syslog could come with sysklogd. Logs are tricky because of log rotation, but I wouldn't exclude them from the check since the directories could serve as a hiding point for malicious binaries. Log rotation and aide would be a lot more compatible if we'd rotate to logfilename.yyyymmdd, but that would require changes to logrotate and savelog. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
