On 2002/10/22 04:27:26PM +0200, Tue, Kjetil Kjernsmo wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks! > > I'd like to ask what people do with their AIDE output at times when a > lot of things change on their system? > > I've gone through the AIDE configuration, and I feel like having > configured it well, to catch the things that might be trojaned while > leaving out things that I would certainly change often. > > But I'm working a lot on the system these days, so the output just keeps > growing out of hand really quick. I get a Too Much Information problem > within a week of having created the database. Last night's output was > close to 3000 lines, but I've had up to 60000 lines of output there... > I find it hard to keep up at all when the output exceeds a hundred > lines. > > So, I've got to do something, but I don't really understand what. > aide --update, ok, but what does that really mean? It just creates a new > database to compare with the old, but then, I should keep the old, > because there are too many changes for me to keep up and be certain > that nothing Bad[tm] as slipped in.... But if I do, the problem just > keeps growing... > > So I hope the kind folks here can offer some advice... :-) > > Best, > > Kjetil > - -- > Kjetil Kjernsmo > Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer > kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org > Homepage: http://www.kjetil.kjernsmo.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV > w81q6a0R1km8GbjxGTcZFng= > =sOls > -----END PGP SIGNATURE----- i've only got 20 or so servers to deal with but i know what you mean. i use a shell script to create system backups, i added an option to it todo an aide backup which basically consists of 'tar -cvpWf aide.$date.tar /var/lib/aide/aide.db /etc/aide/aide.conf /usr/bin/aide /var/cache/apt/archives/aide_*.deb' then scp that to a backup server where it goes through my normal process, except these files never get deleted from disk/tape. so i can always go back and see what happened if needed. i also like to keep a separate mbox for each server where i can save all the interesting logcheck, aide, etc output. as far as keeping things small, i usually just do a aide --update the day after i've made any changes, i go through the output to make sure the only changes are what i expected. hope this helps
Attachment:
pgpavlAaDOFhG.pgp
Description: PGP signature