On 2002/10/22 04:27:26PM +0200, Tue, Kjetil Kjernsmo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks!
>
> I'd like to ask what people do with their AIDE output at times when a
> lot of things change on their system?
>
> I've gone through the AIDE configuration, and I feel like having
> configured it well, to catch the things that might be trojaned while
> leaving out things that I would certainly change often.
>
> But I'm working a lot on the system these days, so the output just keeps
> growing out of hand really quick. I get a Too Much Information problem
> within a week of having created the database. Last night's output was
> close to 3000 lines, but I've had up to 60000 lines of output there...
> I find it hard to keep up at all when the output exceeds a hundred
> lines.
>
> So, I've got to do something, but I don't really understand what.
> aide --update, ok, but what does that really mean? It just creates a new
> database to compare with the old, but then, I should keep the old,
> because there are too many changes for me to keep up and be certain
> that nothing Bad[tm] as slipped in.... But if I do, the problem just
> keeps growing...
>
> So I hope the kind folks here can offer some advice... :-)
>
> Best,
>
> Kjetil
> - --
> Kjetil Kjernsmo
> Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
> kjetilkjernsmo.net webmasterskepsis.no editorlearn-orienteering.org
> Homepage: http://www.kjetil.kjernsmo.net/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV
> w81q6a0R1km8GbjxGTcZFng=
> =sOls
> -----END PGP SIGNATURE-----

i've only got 20 or so servers to deal with but i know what you mean.
i use a shell script to create system backups, i added an option to it
todo an aide backup which basically consists of

'tar -cvpWf aide.$date.tar /var/lib/aide/aide.db /etc/aide/aide.conf /usr/bin/aide /var/cache/apt/archives/aide_*.deb'

then scp that to a backup server where it goes through my normal
process, except these files never get deleted from disk/tape. so i can always
go back and see what happened if needed.

i also like to keep a separate mbox for each server where i can save all
the interesting logcheck, aide, etc output.

as far as keeping things small, i usually just do a aide --update the
day after i've made any changes, i go through the output to make sure
the only changes are what i expected.

hope this helps

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9tWSrmVmTmNea5QURAv9+AJ4wXlPh3RtWbQyGqRzEMYpyasENsgCeNqZ0
m/px4OUGmc1VqdRknhxXsmg=
=eisp
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-requestlists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmasterlists.debian.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]