Re: AIDE Information Overload
Arthur de Jong <arthur@tiefighter.et.tudelft.nl> writes:
> On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote:
>
>> I'd like to ask what people do with their AIDE output at times when a
>> lot of things change on their system?
>>
>> I've gone through the AIDE configuration, and I feel like having
>> configured it well, to catch the things that might be trojaned while
>> leaving out things that I would certainly change often.
>
> I use aide on several machines but it is not really usefull on for
> example a Debian/unstable machine or a machine that has a lot of changing
> files where aide is used to inspect development files.
I use it here on a basically Testing box - I've just automated the daily
upgrade process so that it re-runs aide immediately after the dist-upgrade.
That way I get all changes to important bits of the filesystem since the
last package upgrade every day in the mail. (It's partly a matter of policy
to use this script rather than wedging things by hand.)
#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin ; export PATH
apt-get update
chmod -R og=rX /var/lib/apt/lists /var/cache/apt/archives
nice apt-get -u dist-upgrade
echo ""
echo "All done. Now running AIDE"
echo ""
cd /var/lib/aide && nice nice aide -i && mv aide.db.new aide.db && echo "Cool"
echo ""
~Tim
--
<http://spodzone.org.uk/>
Reply to: