Discussion:
[Aide] rules questions
Mason Nakadomari
2013-09-05 21:15:52 UTC
Permalink
I've looking over the manual and I wanted to check if my understanding s
correct. my understanding is that if I want to search individual
directories with a less general rule like CUSTOMTEST6 but still scan
everything else using a general rule like CUSTOMTEST1 that I would use
something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif

I looked at a lot of examples and this is what I came up with. Is this not
correct. I've also been playing around with more specific and drawn out
rules but I wanted something as simple as possible so others can edit and
add new rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130905/dcae587d/attachment.html
Mason Nakadomari
2013-09-06 16:36:38 UTC
Permalink
Hi any help or confirmation would be appreciated. Thank you for your time
thanks.
Post by Mason Nakadomari
I've looking over the manual and I wanted to check if my understanding s
correct. my understanding is that if I want to search individual
directories with a less general rule like CUSTOMTEST6 but still scan
everything else using a general rule like CUSTOMTEST1 that I would use
something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this not
correct. I've also been playing around with more specific and drawn out
rules but I wanted something as simple as possible so others can edit and
add new rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130906/8565e316/attachment.html
Mason Nakadomari
2013-09-07 04:11:28 UTC
Permalink
Looking this over and running the scan this doesn't seem to be working. It
doesn't seem to be targeting the specific rules such as /var/lib/locate and
then scanning everything else with the broader rule / customtest1. I'm
confused. Am I misunderstanding the documentation on this? Please advise.
Post by Mason Nakadomari
Hi any help or confirmation would be appreciated. Thank you for your time
thanks.
Post by Mason Nakadomari
I've looking over the manual and I wanted to check if my understanding s
correct. my understanding is that if I want to search individual
directories with a less general rule like CUSTOMTEST6 but still scan
everything else using a general rule like CUSTOMTEST1 that I would use
something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this
not correct. I've also been playing around with more specific and drawn out
rules but I wanted something as simple as possible so others can edit and
add new rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130906/560567d6/attachment-0001.html
Richard van den Berg
2013-09-07 07:15:27 UTC
Permalink
There is no specific rule for /var/lib/locate in your config.
Looking this over and running the scan this doesn't seem to be working. It doesn't seem to be targeting the specific rules such as /var/lib/locate and then scanning everything else with the broader rule / customtest1. I'm confused. Am I misunderstanding the documentation on this? Please advise.
Hi any help or confirmation would be appreciated. Thank you for your time thanks.
I've looking over the manual and I wanted to check if my understanding s correct. my understanding is that if I want to search individual directories with a less general rule like CUSTOMTEST6 but still scan everything else using a general rule like CUSTOMTEST1 that I would use something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this not correct. I've also been playing around with more specific and drawn out rules but I wanted something as simple as possible so others can edit and add new rules.
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/0471e7f8/attachment.html
Mason Nakadomari
2013-09-07 07:19:30 UTC
Permalink
/var/lib/mlocate is the rule sorry I made a typo. I apologize. But am I
correct in my understanding of how aide works? Thank you very much.
Post by Richard van den Berg
There is no specific rule for /var/lib/locate in your config.
Looking this over and running the scan this doesn't seem to be working. It
doesn't seem to be targeting the specific rules such as /var/lib/locate and
then scanning everything else with the broader rule / customtest1. I'm
confused. Am I misunderstanding the documentation on this? Please advise.
Hi any help or confirmation would be appreciated. Thank you for your time thanks.
Post by Mason Nakadomari
I've looking over the manual and I wanted to check if my understanding s
correct. my understanding is that if I want to search individual
directories with a less general rule like CUSTOMTEST6 but still scan
everything else using a general rule like CUSTOMTEST1 that I would use
something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this
not correct. I've also been playing around with more specific and drawn out
rules but I wanted something as simple as possible so others can edit and
add new rules.
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130906/d733dd43/attachment.html
Richard van den Berg
2013-09-07 07:30:32 UTC
Permalink
Your config looks fine in general. http://www.cs.tut.fi/~rammer/aide/manual.html#config explains all there is the know about the config rules.
/var/lib/mlocate is the rule sorry I made a typo. I apologize. But am I correct in my understanding of how aide works? Thank you very much.
Post by Richard van den Berg
There is no specific rule for /var/lib/locate in your config.
Looking this over and running the scan this doesn't seem to be working. It doesn't seem to be targeting the specific rules such as /var/lib/locate and then scanning everything else with the broader rule / customtest1. I'm confused. Am I misunderstanding the documentation on this? Please advise.
Hi any help or confirmation would be appreciated. Thank you for your time thanks.
I've looking over the manual and I wanted to check if my understanding s correct. my understanding is that if I want to search individual directories with a less general rule like CUSTOMTEST6 but still scan everything else using a general rule like CUSTOMTEST1 that I would use something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this not correct. I've also been playing around with more specific and drawn out rules but I wanted something as simple as possible so others can edit and add new rules.
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/771417b2/attachment.html
Mason Nakadomari
2013-09-08 02:44:56 UTC
Permalink
Hi Richard thanks that is what I'm basing my rules on. Its just that I
wanted to make sure my understanding is correct. So /var/lib/locate will be
checked with customtest6 rules not customtest1 correct? Thanks sorry just
making sure.
Post by Richard van den Berg
Your config looks fine in general.
http://www.cs.tut.fi/~rammer/aide/manual.html#config explains all there
is the know about the config rules.
/var/lib/mlocate is the rule sorry I made a typo. I apologize. But am I
correct in my understanding of how aide works? Thank you very much.
Post by Richard van den Berg
There is no specific rule for /var/lib/locate in your config.
Looking this over and running the scan this doesn't seem to be working.
It doesn't seem to be targeting the specific rules such as /var/lib/locate
and then scanning everything else with the broader rule / customtest1. I'm
confused. Am I misunderstanding the documentation on this? Please advise.
Hi any help or confirmation would be appreciated. Thank you for your time thanks.
Post by Mason Nakadomari
I've looking over the manual and I wanted to check if my understanding
s correct. my understanding is that if I want to search individual
directories with a less general rule like CUSTOMTEST6 but still scan
everything else using a general rule like CUSTOMTEST1 that I would use
something like the below.
CUSTOMTEST5 = p+u+g+acl+selinux
CUSTOMTEST6 = L
CUSTOMTEST1 = p+i+u+g+m+acl+selinux+md5
@@ifhost aid70
=/var/log$ CUSTOMTEST6
/var/log/.* CUSTOMTEST5
/var/spool/.* CUSTOMTEST5
/var/lib/mlocate$ CUSTOMTEST6
/var/lib/mlocate/mlocate.db$ CUSTOMTEST5
/var/lib/rpm/__db.00* CUSTOMTEST6
/var/lib/logrotate.status$ CUSTOMTEST6
/var/lib/readahead/early.sorted$ CUSTOMTEST6
/ CUSTOMTEST1
!/var/tmp/.*
!/tmp/.*
!/sys/.*
!/dev/.*
!/proc/.*
@@endif
I looked at a lot of examples and this is what I came up with. Is this
not correct. I've also been playing around with more specific and drawn out
rules but I wanted something as simple as possible so others can edit and
add new rules.
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130907/eb91ea77/attachment-0001.html
Continue reading on narkive:
Loading...