Sorry if this is a cross post, but I'm not sure which mailing list is active or what purposes the different ones serve. I sent this to the firstname.lastname@example.org
over a week ago and haven't gotten a response, so I'll try this list :-)
I've been using AIDE for a while now to monitor a few servers. It took a while to get it tuned to watch the correct files and all, but after that it's been working well except for a few problems. Every so often, files will show up as being added that have been there before. For instance, in this last run, all the files one directory deep or more in /lib (so not the files in the /lib directory it self, but all directories under that ) and all the files in /bin and /sbin were shown as being 'added'. At first I thought maybe some attribute was being changed so that AIDE thought the same file was a different one, but they are not listed under 'removed'. Any ideas?
Also, I find the documentation a little confusing. What exactly does putting an = at the first of the line change about a rule?
I'm running AIDE .10 on an ext3 filesystem under a 2.4.26 kernel.