When it comes to host-based intrusion detection I’m most familiar with the Tripwire OpenSource Edition, while shopping around for a HIDS to deploy on a play box I decided to try AIDE. And got stopped at one of the first hurdles.
Tripwire has an interactive update mechanism, it runs a scan (based on your config file) and then prompts you to except, reject or mark changes as pending - within one operation. Unless I’m missing something, AIDE takes a generate signatures, user checks the output, generate signatures approach, which leaves a huge race condition open. Any files created / edited between the check and second generate steps will slip through the net.
Am I missing something or is this really how it works?