Discussion:
[Aide] Intrusion report of directory files
oliver.k
2011-06-06 08:49:34 UTC
Permalink
Hi all

I'm pretty new to AIDE and tried for a while to get along with the configuration.

I have made a rule like
this:

RULE=p+i+n+u+g+s+m+md5

and use this rule on the directory path /opt

/opt RULE

My problem are some scripts
that write temporary files in the directory somewhere in /opt/.../... and by this behavior it causes aide do report an
intrusion because of the mtime check. Does anyone have an idea how I can solve that problem? I don't want to remove the
mtime check. My thoughts go to the direction of excluding the mtime check for all directory files, is that possible?


Thank you for your time and help
Vijay
2011-06-06 13:48:27 UTC
Permalink
Try "!/opt/SomeSoftware/tmp" without the quotes.

V
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have made a rule like
RULE=p+i+n+u+g+s+m+md5
and use this rule on the directory path /opt
/opt RULE
My problem are some scripts
that write temporary files in the directory somewhere in /opt/.../... and by this behavior it causes aide do report an
intrusion because of the mtime check. Does anyone have an idea how I can solve that problem? I don't want to remove the
mtime check. My thoughts go to the direction of excluding the mtime check for all directory files, is that possible?
Thank you for your time and help
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
oliver.k
2011-06-06 15:01:59 UTC
Permalink
Hi V

Sorry, maybe I was not clear enough. I have approximately 25 sub directories in /opt and looking for a rule to
exclude that globally for /opt and not by excluding each sub directory. Otherwise it's very unhandy.

Kind regards,

Oliver

----Urspr?ngliche Nachricht----
Von: vavarachen at gmail.com
Datum: 06.06.2011 15:48
An: <oliver.k at bluewin.ch>,
"Aide user mailinglist"<aide at cs.tut.fi>
Betreff: Re: [Aide] Intrusion report of directory files

Try "!
/opt/SomeSoftware/tmp" without the quotes.

V

On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.k at bluewin.
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have
made a rule like
Post by oliver.k
RULE=p+i+n+u+g+s+m+md5
and use this rule on the directory path /opt
/opt RULE
My problem are some scripts
Post by oliver.k
that write temporary files in the directory somewhere in /opt/.../... and by this
behavior it causes aide do report an
Post by oliver.k
intrusion because of the mtime check. Does anyone have an idea how I can solve
that problem? I don't want to remove the
Post by oliver.k
mtime check. My thoughts go to the direction of excluding the mtime check
for all directory files, is that possible?
Post by oliver.k
Thank you for your time and help
Vijay
2011-06-06 15:26:08 UTC
Permalink
You best bet would be to write a rule using regular expressions.
Also, if majority of the directories are to be ignored, then consider
writing rules for the ones you want to monitor and ignore the rest
("=/opt/app1$"). Take a look at
http://www.cs.tut.fi/~rammer/aide/manual.html#usage for some examples
and pitfalls to watch out for.

Can you share a list of directories you are trying to include/exclude?
Maybe I can try to help write the reg-ex rule.

V


On Mon, Jun 6, 2011 at 10:01 AM, oliver.k at bluewin.ch
Post by oliver.k
Hi V
Sorry, maybe I was not clear enough. I have approximately 25 sub directories in /opt and looking for a rule to
exclude that globally for /opt and not by excluding each sub directory. Otherwise it's very unhandy.
Kind regards,
Oliver
----Urspr?ngliche Nachricht----
Von: vavarachen at gmail.com
Datum: 06.06.2011 15:48
An: <oliver.k at bluewin.ch>,
"Aide user mailinglist"<aide at cs.tut.fi>
Betreff: Re: [Aide] Intrusion report of directory files
Try "!
/opt/SomeSoftware/tmp" without the quotes.
V
On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.k at bluewin.
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have
made a rule like
Post by oliver.k
RULE=p+i+n+u+g+s+m+md5
and use this rule on the directory path /opt
/opt RULE
My problem are some scripts
Post by oliver.k
that write temporary files in the directory somewhere in /opt/.../... and by this
behavior it causes aide do report an
Post by oliver.k
intrusion because of the mtime check. Does anyone have an idea how I can solve
that problem? I don't want to remove the
Post by oliver.k
mtime check. My thoughts go to the direction of excluding the mtime check
for all directory files, is that possible?
Post by oliver.k
Thank you for your time and help
_______________________________________________
Post by oliver.k
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
oliver.k
2011-06-07 14:07:34 UTC
Permalink
Hi V

Here some examples how the directory names look like

/opt
/opt/install-test
/opt/install-live
/opt/install-
test/management
/opt/install-test/management/scripts
/opt/httpd

and so on. Unfortunately I can not make a qualified
conclusion about the depth of the path.

Do you have any idea?

Kind regards,
Oliver

----Urspr?ngliche Nachricht----

Von: vavarachen at gmail.com
Datum: 06.06.2011 17:26
An: <oliver.k at bluewin.ch>
Kopie: <aide at cs.tut.fi>
Betreff: Re: Re:
[Aide] Intrusion report of directory files

You best bet would be to write a rule using regular expressions.
Also, if
majority of the directories are to be ignored, then consider
writing rules for the ones you want to monitor and ignore
the rest
("=/opt/app1$"). Take a look at
http://www.cs.tut.fi/~rammer/aide/manual.html#usage for some examples
and pitfalls to watch out for.

Can you share a
list of directories you are trying to include/exclude?
Maybe I can try to help write the reg-ex rule.

V


On Mon, Jun
6, 2011 at 10:01 AM, oliver.k at bluewin.ch
Post by oliver.k
Hi V
Sorry, maybe I was not clear enough. I
have approximately 25 sub directories in /opt and looking for a rule to
Post by oliver.k
exclude that globally for /opt and not by
excluding each sub directory. Otherwise it's very unhandy.
Post by oliver.k
Kind regards,
Oliver
----Urspr?ngliche
Nachricht----
Post by oliver.k
Von: vavarachen at gmail.com
Datum: 06.06.2011 15:48
An: <oliver.k at bluewin.ch>,
"Aide user
mailinglist"<aide at cs.tut.fi>
Post by oliver.k
Betreff: Re: [Aide] Intrusion report of directory files
Try "!
/opt/SomeSoftware/tmp" without the quotes.
Post by oliver.k
V
On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.
k at bluewin.
Post by oliver.k
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have
made a rule like
Post by oliver.k
RULE=p+i+n+u+g+s+m+md5
and use this rule on the
directory path /opt
Post by oliver.k
Post by oliver.k
/opt RULE
My problem are some scripts
Post by oliver.k
that write temporary files in the directory
somewhere in /opt/.../... and by this
Post by oliver.k
behavior it causes aide do report an
Post by oliver.k
intrusion because of the mtime check.
Does anyone have an idea how I can solve
Post by oliver.k
that problem? I don't want to remove the
Post by oliver.k
mtime check. My thoughts go to
the direction of excluding the mtime check
Post by oliver.k
for all directory files, is that possible?
Post by oliver.k
Thank you for your
time and help
Post by oliver.k
_______________________________________________
Post by oliver.k
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Rami Lehti
2011-06-06 16:04:09 UTC
Permalink
You could use a rule that excludes mtime.

/opt RULE-m

If that is not what you want, then I'm afraid you have to list all 25 directories. Unless you create a single monster regexp that includes all 25 dirs.

Rami
Post by oliver.k
Hi V
Sorry, maybe I was not clear enough. I have approximately 25 sub directories in /opt and looking for a rule to
exclude that globally for /opt and not by excluding each sub directory. Otherwise it's very unhandy.
Kind regards,
Oliver
----Urspr?ngliche Nachricht----
Von: vavarachen at gmail.com
Datum: 06.06.2011 15:48
An: <oliver.k at bluewin.ch>,
"Aide user mailinglist"<aide at cs.tut.fi>
Betreff: Re: [Aide] Intrusion report of directory files
Try "!
/opt/SomeSoftware/tmp" without the quotes.
V
On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.k at bluewin.
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have
made a rule like
Post by oliver.k
RULE=p+i+n+u+g+s+m+md5
and use this rule on the directory path /opt
/opt RULE
My problem are some scripts
Post by oliver.k
that write temporary files in the directory somewhere in /opt/.../... and by this
behavior it causes aide do report an
Post by oliver.k
intrusion because of the mtime check. Does anyone have an idea how I can solve
that problem? I don't want to remove the
Post by oliver.k
mtime check. My thoughts go to the direction of excluding the mtime check
for all directory files, is that possible?
Post by oliver.k
Thank you for your time and help
_______________________________________________
Post by oliver.k
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
oliver.k
2011-06-07 14:01:44 UTC
Permalink
Hi Rami

Thank you for your reply.

You're right that's not my goal. I was trying to create a monster regex for exactly
that however I did not find the right solution so far. Do you have any idea?

Kind regards
Oliver

----Urspr?ngliche
Nachricht----
Von: rammer at ipi.fi
Datum: 06.06.2011 18:04
An: <oliver.k at bluewin.ch>, "Aide user mailinglist"<aide at cs.tut.
fi>, <vavarachen at gmail.com>
Betreff: Re: [Aide] Intrusion report of directory files

You could use a rule that excludes
mtime.

/opt RULE-m

If that is not what you want, then I'm afraid you have to list all 25 directories. Unless you
create a single monster regexp that includes all 25 dirs.

Rami
Post by oliver.k
Hi V
Sorry, maybe I was not clear enough. I have approximately 25 sub directories in /opt and looking for a rule
to
Post by oliver.k
exclude that globally for /opt and not by excluding each sub directory. Otherwise it's very unhandy.
Kind
regards,
Post by oliver.k
Oliver
----Urspr?ngliche Nachricht----
Von: vavarachen at gmail.com
Datum: 06.06.2011 15:48
An: <oliver.
k at bluewin.ch>,
Post by oliver.k
"Aide user mailinglist"<aide at cs.tut.fi>
Betreff: Re: [Aide] Intrusion report of directory files
Try "!
/opt/SomeSoftware/tmp" without the quotes.
V
On Mon, Jun 6, 2011 at 3:49 AM, oliver.k at bluewin.ch <oliver.
k at bluewin.
Post by oliver.k
Post by oliver.k
Hi all
I'm pretty new to AIDE and tried for a while to get along with the configuration.
I have
made a rule like
Post by oliver.k
RULE=p+i+n+u+g+s+m+md5
and use this rule on the
directory path /opt
Post by oliver.k
Post by oliver.k
/opt RULE
My problem are some scripts
Post by oliver.k
that write temporary files in the directory
somewhere in /opt/.../... and by this
Post by oliver.k
behavior it causes aide do report an
Post by oliver.k
intrusion because of the mtime check.
Does anyone have an idea how I can solve
Post by oliver.k
that problem? I don't want to remove the
Post by oliver.k
mtime check. My thoughts go to
the direction of excluding the mtime check
Post by oliver.k
for all directory files, is that possible?
Post by oliver.k
Thank you for your
time and help
Post by oliver.k
_______________________________________________
Post by oliver.k
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide
mailing list
Post by oliver.k
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Hannes von Haugwitz
2011-06-06 16:44:12 UTC
Permalink
Post by oliver.k
My problem are some scripts
that write temporary files in the directory somewhere in /opt/.../... and by this behavior it causes aide do report an
intrusion because of the mtime check. Does anyone have an idea how I can solve that problem? I don't want to remove the
mtime check. My thoughts go to the direction of excluding the mtime check for all directory files, is that possible?
No, selection by file type is currently not supported.

There is a request on sf.net for a similar feature[0]. If this request
doesn't fit your needs please feel free to fill your own[1].

As a workaround you can use a rule like the following:

/opt/reg-ex/to/changing/directories$ RULE-m

Greetings

Hannes

[0] http://sourceforge.net/tracker/?func=detail&aid=1635601&group_id=86976&atid=581582
[1] http://sourceforge.net/tracker/?atid=581582&group_id=86976&func=browse
oliver.k
2011-06-07 14:03:41 UTC
Permalink
Hi Hannes

Thank you for the hint with the request. Didn't know about that so far. That would exactly be what I'm
looking for, an option to create a rule by filetype.

Kind regards
Oliver

----Urspr?ngliche Nachricht----
Von:
hannes at vonhaugwitz.com
Datum: 06.06.2011 18:44
An: <aide at cs.tut.fi>
Betreff: Re: [Aide] Intrusion report of directory
files
Post by oliver.k
My problem are some scripts
that write
temporary files in the directory somewhere in /opt/.../... and by this behavior it causes aide do report an
intrusion because of the mtime check. Does anyone have an idea how I can solve that problem? I don't want to remove
the
Post by oliver.k
mtime check. My thoughts go to the direction of excluding the mtime check for all directory files, is that
possible?

No, selection by file type is currently not supported.

There is a request on sf.net for a similar feature
[0]. If this request
doesn't fit your needs please feel free to fill your own[1].

As a workaround you can use a rule
like the following:

/opt/reg-ex/to/changing/directories$ RULE-m

Greetings

Hannes

[0] http://sourceforge.net/tracker/?func=detail&aid=1635601&group_id=86976&atid=581582
[1] http://sourceforge.net/tracker/?atid=581582&group_id=86976&func=browse
Hannes von Haugwitz
2016-04-16 11:24:49 UTC
Permalink
Hi,
Post by oliver.k
Thank you for the hint with the request. Didn't know about that so
far. That would exactly be what I'm looking for, an option to create a
rule by filetype.
The latest beta release of AIDE (v0.16b1)[0] introduces restricted
selection lines (see 'RESTRICTED SELECTION LINES' section in aide.conf
man page for details).

Best regards

Hannes

[0] https://sourceforge.net/p/aide/mailman/message/35017320/

Loading...