AIDE config false positives

Posted on

Hi, I'm currently configuring AIDE to be rolled out on our platform as a substitute for RKHunter. I have a question about establishing a baseline:

I notice that I seem to get a lot of false positives.

As an example:

/var/log/ LOG+ANF+ARF

I would expect that I don't get any messages in my aide.log, but I see them all the time. Of course, one solution would be to exclude the whole /var/log directory, but that's not something I would want.

How can I solve this, anyone got an idea?