using aide for file integrity

if there is a better place to ask this question, please let me know.
after reading all the doc I can find on aide.

#aide --check
does it write a new or append to the existing one?

#aide --update
if this writes the changes from the to the aide.db inorder to set a new standards if you please, then why aide --check when it is executed after aide --update still shows a report of differences in the databases and why the date of the in the ls command does not reflect the time of the writing of the --update?

is there more effective file arrangement to inspect than what I have here in this aide.conf
please consider the advice from
Aide Manual version 0_1.htm
But keep in mind that you should not ignore too much as that leaves you open for an attack. An intruder might place his/her/its/their root kit in a directory that you have ignored completely. One good example is /var/spool/lp or something similar. This is the place that lp daemon stores its temporary files. You should not ignore it completely however. You should only ignore the format of files that you lp daemon keeps creating. And remember to use the $-sign at the end of your regexps. This stops someone from creating a directory that is ignored along with its contents.
I am not sure how to put the above comment into a line of code in the config file.
here is part of my AIDE conf

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Kernel, system map, etc.
=/boot$ Binlib

# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib

# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib

#system configuration files
/etc Binlib

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hi samj,

in your aide.con there should be setttings for the database file. Always it is advised that you initialize and maintain a database file which contains the information of all the file that you want to be checked and create a new database file when you do an update after making changes to the aide.conf file.

the configuration options in aide.conf are:


so by this u r indicating that your output database is always gonna be, so if u do :

#./aide --config=./aide.conf --init

then you need to do the following without fail:

# mv aide.db

coz u'r new db is but in u'r conf file u have mentioned the db file to be aide.db. So the next time u invoke

#aide --check

it will look for aide.db

So when you do an #aide --update it will write to the new file which you need to move to aide.db. The reason #aide --check is giving you those errors is because of not moving the freshly generated db to the actual db file which aide is looking at for the check.

Hope the above answers u'r question.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.