[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: AIDE Information Overload

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 Oct 2002, Kjetil Kjernsmo wrote:

> I'd like to ask what people do with their AIDE output at times when a
> lot of things change on their system?
>
> I've gone through the AIDE configuration, and I feel like having
> configured it well, to catch the things that might be trojaned while
> leaving out things that I would certainly change often.
> ...

I use aide on several machines but it is not really usefull on for example
a Debian/unstable machine or a machine that has a lot of changing files
where aide is used to inspect development files.

The approach I take is that when aide reports some changes I check that
the changes are "normal", optionally change aide.conf if the changes are
regular and appropriate. After that I regenerate the database and save it
as aide.db.yyyymmdd and provide a symlink to aide.db.

Apart from that I also use tools like debsums to keep me informed of
integrity (although a lot of packages don't provide all or correct
md5sums) (maybe I should file some bugreports for wrong md5sums)

- -- arthur - arthur@tiefighter.et.tudelft.nl - http://tiefighter.et.tudelft.nl/~arthur --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE9tWUfVYan35+NCKcRAvTEAJ0SUrVSNwRgo2bgGmK5ea12Yb6OdQCfXfq5
JiY7Y3OOzlClgLBqwb8bAcg=
=zYNE
-----END PGP SIGNATURE-----
Reply to: