I did not do an init after making the change. I was changing the file
then running a check. I need to run an init after every change to
aide.conf? Steps as follows:
Change aide.conf
run aide --init
change /etc/passwd (for example)
run aide --check
?? Correct?
The logic is not sinkinginto my thick skull late on a Friday. :)
Randy
Richard van den Berg wrote:
Randy Brown wrote:
That was my understanding too, but I'm sure not seeing that behavior.
Part of my rule set is as follows:
/ p+u+g
/usr L
/usr/local L
/boot R
/etc p+i+n+u+g+s+m
As a test, I modified the /etc/passwd file. The mtime changed and the
size changed. AIDE turned up nothing when I ran aide --check. Then I
change the permissions on the /etc/password file and ran aide --check
again. It picked up the permission change, but never caught the mtime
or size change.
I just tested this case with the aide 0.11, and it does catch the mtime
and size change like it is expected to.
Are you sure you did an --init after you changed the aide.conf file? If
so, please change the /etc/passwd file again (touch should be enough)
and send the output of "aide -V255 --check".
Sincerely,
Richard van den Berg
_______________________________________________
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
|
_______________________________________________
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
