rpm/yum integration about aide HOT 5 OPEN

+1

The current way that aide is implemented, is a major obstacle for using it in my systems. While I want to be notified about any "unofficial" changes to my systems, I don't want aide to report signed RPM changes.

On RHEL and CentOS, the changes are not daily, but they happen frequently enough within the month, to make aide completely unusable for monitoring system paths.

As @Zugschlus mentioned above, we end up updating aide's database over and over again, which results in an unnecessary update of the whole database.

The end result, is that aide is unusable for scanning an entire system, unless the admin isn't bothered by the constant notifications for changes.

For aide to actually be usable at a large scale, it needs to integrate with the RPM database (and/or with yum/dnf). When signed packages are updated, their changes should be merged with aide's own database.

I understand that this would require significant work, but its the only way to move forward.

Thank you.

from aide.

@robo2bobo Thanks for your input.

I plan to resolve this issue by using GnuPG-signed reference databases (to be signed and provided by the distributions, e.g. Debian). On database updates AIDE would hide file changes matching the reference database(s).

from aide.

I implemented a simple approach to reduce aide reports via package information and have been happily using this on some servers for some months. Unfortunately, it is for Ubuntu/Debian, but it might be easily adapted to other package systems.

https://github.com/svenha/aide-filter

from aide.

@svenha on Ubuntu/Debian you can set FILTERUPDATES or FILTERINSTALLATIONS in /etc/default/aide to filter changes from package upgrades or installations.

from aide.

@hvhaugwitz Thanks for sharing this alternative solution. Two solutions are always better than one :-)

from aide.