Smith, Cathy
2013-03-30 23:08:46 UTC
Hi, again
I followed the instructions, and everything worked for what I wanted to check or not check in /var/log/sa. Great. So I went to the next directory, /var/log/aide, did the same thing, but it's not working. I?m still getting notified of files that are expected and that I want to exclude. I'm not sure what is not working. So I'd appreciate your assistance again.
Just a note. I'm running the version provided by Red Hat REHL6. Everything is in one big file. So, to make the most general rule clearer in the file, I reorganized a bit. The default file provided by RH didn't really make it clear about the most general rule and had some things interspersed. Also, this version from RH has nothing set up to handle the normal file creation/deletion that happens with logrotate. I am trying to address this.
Oh, before it's asked, I am very careful when making a change to the aide.conf file to do
aide --check-config
aide --update
cd /var/lib/aide
cp aide.db.new.gz aide.db.gz
I also did a check on the timestamp on aide.db.gz and aide.conf just to be sure.
Here is the part of the report that I don't want to see:
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/aide/aide.log-20130327.gz
added: /var/log/aide/aide.log-20130328
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aide.log-20130327
Here are the files that exist in /var/log/aide
/var/log/aide.log
/var/log/aide.log-20130330
/var/log/aide.log-20130329.gz
I hate to include the entire aide.conf file either inside the body of the email or as an attachment due to size, but I will if requested. Here is the relevant section that I've created for handling /var/log.
# /var/log - Begin section
# normal type log files that are expected to grow
/var/log/wtmp$ LOG
/var/log/messages$ LOG
/var/log/yum.log$ LOG
/var/log/up2date$ LOG
/var/log/sudo.log$ LOG
/var/log/maillog$ LOG
/var/log/dmesg$ LOG
# ignore files created by logrotate
!/var/log/[a-zA-Z].*-\d{8}.*
# ignore files ending in .old
!/var/log/.*\.old$
# do check /var/log/sa but ignore expected files
!/var/log/sa/sa[0-9][0-9]$
!/var/log/sa/sar[0-9][0-9]$
/var/log/sa NORMAL
# take care of /var/log/aide
!/var/log/aide/aide\.log-\d{8}\.gz
!/var/log/aide/aide\.log-\d{8}$
!/var/log/aide/aide\.log$
/var/log/aide NORMAL
/var/log NORMAL
Thanks in advance for your help.
Best regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:? cathy.smith at pnnl.gov
-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Smith, Cathy
Sent: Friday, March 22, 2013 4:00 PM
To: Aide user mailinglist
Cc: Smith, Gary R
Subject: Re: [Aide] question about dealing with expected files
Hi
Thanks for the clarification. This is working now.
The mail from the cron job running aide --check is not reporting the files added/dropped from /var/log/sa any more. It is correctly reporting that the directory /var/log/sa did change.
Here is the email from the cron job:
Subject: Cron <root at foo> /usr/sbin/aide --check 2>&1
AIDE found differences between database and filesystem!!
Start timestamp: 2013-03-22 05:30:01
Summary:
Total number of files: 65498
Added files: 2
Removed files: 1
Changed files: 11
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/aide/aide.log-20130321.gz
added: /var/log/aide/aide.log-20130322
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aide.log-20130321
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /var/log
changed: /var/log/sa
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/cis
changed: /var/log/audit/audit.log
changed: /var/log/secure
changed: /var/log/cron
changed: /var/log/maillog
changed: /var/log/99updateyum.log
changed: /root/.bash_history
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /var/log
Mtime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Ctime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Directory: /var/log/sa
Mtime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
Ctime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
I made 2 changes to my aide.conf, both where I moved the most general statement to the last. I've included the relevant parts from the aide.conf below, but to summarize, I moved these two directives specifically
/var/log/sa
/var/log
The default aide.conf provided by Red Hat assumes that / is not included in the check, so it starts by specifying what I do want to have checked. I've modified some of the default rules to remove the check for selinux as it is not running in my environment.
# Sane, with multiple hashes
NORMAL = R+rmd160+sha256-selinux
# For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change LOG = >
# Next decide what directories/files you want in the database.
# note: These are the RH default entries. RH doesn't by default check starting at / - cls
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# My customizations
# subdirectories in /var/log
/var/log/(aide|cis|mail|ntpstats|ppp|prelink|rhsm) NORMAL
# 03.21.13 cls - ignore CommVault log directory !/var/log/simpana
# normal type log files that are expected to grow /var/run/utmp$ LOG /var/log/wtmp$ LOG /var/log/messages$ LOG
# do check /var/log/sa but ignore expected files !/var/log/sa/sa[0-9][0-9]$ !/var/log/sa/sar[0-9][0-9]$ /var/log/sa NORMAL
# most general goes last
/var/log NORMAL
Thank you again.
Kind regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:? cathy.smith at pnnl.gov
-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Richard van den Berg
Sent: Monday, March 18, 2013 11:46 PM
To: Aide user mailinglist
Subject: Re: [Aide] question about dealing with expected files
How did you try to exclude this directory? Please show us your aide.conf
Kind regards,
Richard
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
I followed the instructions, and everything worked for what I wanted to check or not check in /var/log/sa. Great. So I went to the next directory, /var/log/aide, did the same thing, but it's not working. I?m still getting notified of files that are expected and that I want to exclude. I'm not sure what is not working. So I'd appreciate your assistance again.
Just a note. I'm running the version provided by Red Hat REHL6. Everything is in one big file. So, to make the most general rule clearer in the file, I reorganized a bit. The default file provided by RH didn't really make it clear about the most general rule and had some things interspersed. Also, this version from RH has nothing set up to handle the normal file creation/deletion that happens with logrotate. I am trying to address this.
Oh, before it's asked, I am very careful when making a change to the aide.conf file to do
aide --check-config
aide --update
cd /var/lib/aide
cp aide.db.new.gz aide.db.gz
I also did a check on the timestamp on aide.db.gz and aide.conf just to be sure.
Here is the part of the report that I don't want to see:
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/aide/aide.log-20130327.gz
added: /var/log/aide/aide.log-20130328
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aide.log-20130327
Here are the files that exist in /var/log/aide
/var/log/aide.log
/var/log/aide.log-20130330
/var/log/aide.log-20130329.gz
I hate to include the entire aide.conf file either inside the body of the email or as an attachment due to size, but I will if requested. Here is the relevant section that I've created for handling /var/log.
# /var/log - Begin section
# normal type log files that are expected to grow
/var/log/wtmp$ LOG
/var/log/messages$ LOG
/var/log/yum.log$ LOG
/var/log/up2date$ LOG
/var/log/sudo.log$ LOG
/var/log/maillog$ LOG
/var/log/dmesg$ LOG
# ignore files created by logrotate
!/var/log/[a-zA-Z].*-\d{8}.*
# ignore files ending in .old
!/var/log/.*\.old$
# do check /var/log/sa but ignore expected files
!/var/log/sa/sa[0-9][0-9]$
!/var/log/sa/sar[0-9][0-9]$
/var/log/sa NORMAL
# take care of /var/log/aide
!/var/log/aide/aide\.log-\d{8}\.gz
!/var/log/aide/aide\.log-\d{8}$
!/var/log/aide/aide\.log$
/var/log/aide NORMAL
/var/log NORMAL
Thanks in advance for your help.
Best regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:? cathy.smith at pnnl.gov
-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Smith, Cathy
Sent: Friday, March 22, 2013 4:00 PM
To: Aide user mailinglist
Cc: Smith, Gary R
Subject: Re: [Aide] question about dealing with expected files
Hi
Thanks for the clarification. This is working now.
The mail from the cron job running aide --check is not reporting the files added/dropped from /var/log/sa any more. It is correctly reporting that the directory /var/log/sa did change.
Here is the email from the cron job:
Subject: Cron <root at foo> /usr/sbin/aide --check 2>&1
AIDE found differences between database and filesystem!!
Start timestamp: 2013-03-22 05:30:01
Summary:
Total number of files: 65498
Added files: 2
Removed files: 1
Changed files: 11
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/aide/aide.log-20130321.gz
added: /var/log/aide/aide.log-20130322
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aide.log-20130321
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /var/log
changed: /var/log/sa
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/cis
changed: /var/log/audit/audit.log
changed: /var/log/secure
changed: /var/log/cron
changed: /var/log/maillog
changed: /var/log/99updateyum.log
changed: /root/.bash_history
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /var/log
Mtime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Ctime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Directory: /var/log/sa
Mtime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
Ctime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
I made 2 changes to my aide.conf, both where I moved the most general statement to the last. I've included the relevant parts from the aide.conf below, but to summarize, I moved these two directives specifically
/var/log/sa
/var/log
The default aide.conf provided by Red Hat assumes that / is not included in the check, so it starts by specifying what I do want to have checked. I've modified some of the default rules to remove the check for selinux as it is not running in my environment.
# Sane, with multiple hashes
NORMAL = R+rmd160+sha256-selinux
# For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change LOG = >
# Next decide what directories/files you want in the database.
# note: These are the RH default entries. RH doesn't by default check starting at / - cls
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# My customizations
# subdirectories in /var/log
/var/log/(aide|cis|mail|ntpstats|ppp|prelink|rhsm) NORMAL
# 03.21.13 cls - ignore CommVault log directory !/var/log/simpana
# normal type log files that are expected to grow /var/run/utmp$ LOG /var/log/wtmp$ LOG /var/log/messages$ LOG
# do check /var/log/sa but ignore expected files !/var/log/sa/sa[0-9][0-9]$ !/var/log/sa/sar[0-9][0-9]$ /var/log/sa NORMAL
# most general goes last
/var/log NORMAL
Thank you again.
Kind regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone:? 509.375.2687
Fax:??? ????509.375.2330
Email:? cathy.smith at pnnl.gov
-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Richard van den Berg
Sent: Monday, March 18, 2013 11:46 PM
To: Aide user mailinglist
Subject: Re: [Aide] question about dealing with expected files
How did you try to exclude this directory? Please show us your aide.conf
Kind regards,
Richard
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide