[Aide] Need help with AIDE configuration

Discussion:

LIJE Creative

2016-04-21 21:14:25 UTC

Hi guys,

Like you, I'm a user of AIDE but I need a hand about the configuration.

I'm getting the daily aide report. It contains the 1000 first lines of the
log file.

[image: Images intÃ©grÃ©es 1]

Do you know if there is a way to get only the list of newly added entries
(difference between the new and old database) and the changed entries?
Everyday, I'm getting these 330k new added entries so I can't check if
anything is messed up.

I'm running AIDE on my /var/www folder to check newly added files from my
clients or hackers.

Thanks

JÃ©rÃŽme LILLE | Responsable Agence
***@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com
á§

Keith Constable

2016-04-22 03:05:38 UTC

Permalink

"aide --check " compares the file system to the aide database and gives you
a report of changed and added and deleted files.

Are you using an OS packaged version of AIDE? AIDE itself produces no daily
report.

You should only --init a new database once you've validated all changes
reported by the --check run.

What protections do you have in place to ensure that the AIDE binaries and
database aren't compromised by an intruder?

Regards,
Keith

Post by LIJE Creative
Hi guys,
Like you, I'm a user of AIDE but I need a hand about the configuration.
I'm getting the daily aide report. It contains the 1000 first lines of the
log file.
[image: Images intÃ©grÃ©es 1]
Do you know if there is a way to get only the list of newly added entries
(difference between the new and old database) and the changed entries?
Everyday, I'm getting these 330k new added entries so I can't check if
anything is messed up.
I'm running AIDE on my /var/www folder to check newly added files from my
clients or hackers.
Thanks
JÃ©rÃŽme LILLE | Responsable Agence
03
Site internet : www.lije-creative.com
á§

LIJE Creative

2016-04-22 06:50:26 UTC

Permalink

No, AIDE ouf of the box offers daily report.
Once installed, it added me the file: */etc/cron.daily/aide* which sends me
a daily report.
There is a MAILTO parameter which must be filled to work.

CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
*MAILTO="***@xxx.fr <***@xxx.fr>"*
eval MAILTO="$MAILTO"
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
LINES="${LINES:-1000}"
COMMAND="${COMMAND:-check}"
COPYNEWDB="${COPYNEWDB:-no}"
QUIETREPORTS="${QUIETREPORTS:-no}"
SILENTREPORTS="${SILENTREPORTS:-no}"
TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
FILTERUPDATES="${FILTERUPDATES:-no}"
FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
CRONEXITHOOK="${CRONEXITHOOK:-}"
ONEXIT=""

You can also see that the command is check, indeed.
This is not AIDE binaries and database that matters to me but the files of
my web server.
If a hacker get a chance to inject some file in a website, I want to see
it. But he won't probably modify the AIDE database from himself.

Cordialement,

JÃ©rÃŽme LILLE | Responsable Agence
***@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

Post by Keith Constable
"aide --check " compares the file system to the aide database and gives
you a report of changed and added and deleted files.
Are you using an OS packaged version of AIDE? AIDE itself produces no
daily report.
You should only --init a new database once you've validated all changes
reported by the --check run.
What protections do you have in place to ensure that the AIDE binaries and
database aren't compromised by an intruder?
Regards,
Keith

Post by LIJE Creative
Hi guys,
Like you, I'm a user of AIDE but I need a hand about the configuration.
I'm getting the daily aide report. It contains the 1000 first lines of
the log file.
[image: Images intÃ©grÃ©es 1]
Do you know if there is a way to get only the list of newly added entries
(difference between the new and old database) and the changed entries?
Everyday, I'm getting these 330k new added entries so I can't check if
anything is messed up.
I'm running AIDE on my /var/www folder to check newly added files from my
clients or hackers.
Thanks
JÃ©rÃŽme LILLE | Responsable Agence
Site internet : www.lije-creative.com
á§

_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide

á§

Keith Constable

2016-04-22 11:47:27 UTC

Permalink

The answer to your original question is to run "aide --check". Given a
properly initialized database, the output will be exactly what you're
looking for. I promise.

Based on the screen shot you originally included, it looks to me that your
current database is empty. You'll need to move/rename the aide.db.new file
generated by that cron script into the path and file name noted by the
DATABASE variable line. Future runs of AIDE will then only report actual
filesystem changes.

If you browse the source for AIDE, I doubt you will find references to this
cron script. OS packages often include these sorts of scripts for ease of
use. If I'm wrong, I'm certain Hannes will step in and correct me. In the
past, he's stated that he's unable to support the cron scripts because he
didn't write them. I also have no experience with this cron script.

I mentioned protecting the AIDE database and binaries because any results
generated by AIDE are meaningless unless you can verify that an intruder
hasn't modified the binaries and database. That said, I understand certain
applications of AIDE may not warrant such paranoia. It's up to you how far
you want to take it.

Regards,
Keith

Post by LIJE Creative
No, AIDE ouf of the box offers daily report.
Once installed, it added me the file: */etc/cron.daily/aide* which sends
me a daily report.
There is a MAILTO parameter which must be filled to work.
CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
eval MAILTO="$MAILTO"
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
LINES="${LINES:-1000}"
COMMAND="${COMMAND:-check}"
COPYNEWDB="${COPYNEWDB:-no}"
QUIETREPORTS="${QUIETREPORTS:-no}"
SILENTREPORTS="${SILENTREPORTS:-no}"
TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
FILTERUPDATES="${FILTERUPDATES:-no}"
FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
CRONEXITHOOK="${CRONEXITHOOK:-}"
ONEXIT=""
You can also see that the command is check, indeed.
This is not AIDE binaries and database that matters to me but the files of
my web server.
If a hacker get a chance to inject some file in a website, I want to see
it. But he won't probably modify the AIDE database from himself.
Cordialement,
JÃ©rÃŽme LILLE | Responsable Agence
03
Site internet : www.lije-creative.com

Post by Keith Constable
"aide --check " compares the file system to the aide database and gives
you a report of changed and added and deleted files.
Are you using an OS packaged version of AIDE? AIDE itself produces no
daily report.
You should only --init a new database once you've validated all changes
reported by the --check run.
What protections do you have in place to ensure that the AIDE binaries
and database aren't compromised by an intruder?
Regards,
Keith

Post by LIJE Creative
Hi guys,
Like you, I'm a user of AIDE but I need a hand about the configuration.
I'm getting the daily aide report. It contains the 1000 first lines of
the log file.
Do you know if there is a way to get only the list of newly added
entries (difference between the new and old database) and the changed
entries?
Everyday, I'm getting these 330k new added entries so I can't check if
anything is messed up.
I'm running AIDE on my /var/www folder to check newly added files from
my clients or hackers.
Thanks
á§

Hannes von Haugwitz

2016-04-22 17:44:25 UTC

Permalink

Hi,

Post by Keith Constable
If you browse the source for AIDE, I doubt you will find references to this
cron script. OS packages often include these sorts of scripts for ease of
use. If I'm wrong, I'm certain Hannes will step in and correct me.

Yes, upstream AIDE doesn't contain a cron script. The cron script
belongs to the Debian package[0], which I also maintain.

Post by Keith Constable
In the past, he's stated that he's unable to support the cron scripts
because he didn't write them.

If I remember correctly this statement was made by Richard (one of the
past AIDE developers).

Best regards

Hannes

[0] https://anonscm.debian.org/cgit/pkg-aide/aide.git

Richard van den Berg

2016-04-22 20:34:57 UTC

Permalink

If I remember correctly this statement was made by Richard (one of the past AIDE developers).

You're probably right.

Cheers,

Richard (ex-AIDE developer)

Hannes von Haugwitz

2016-04-22 18:11:04 UTC

Permalink

Post by Keith Constable
I mentioned protecting the AIDE database and binaries because any results
generated by AIDE are meaningless unless you can verify that an intruder
hasn't modified the binaries and database. That said, I understand certain
applications of AIDE may not warrant such paranoia. It's up to you how far
you want to take it.

Just out of curiosity, what are your methods to ensure the integrity of
the AIDE binary and the database?

Best regards

Hannes

LIJE Creative

2016-04-23 08:11:28 UTC

Permalink

Hi,

I tweaked /etc/default/aide as requested. The db seems to be copied now.

AIDE returned with exit code 5. Added and changed entries detected!
AIDE post run information
output database /var/lib/aide/aide.db.new was copied to
/var/lib/aide/aide.db as requested by cron job configuration
End of AIDE post run information
AIDE produced no errors.

Output is 329870 lines, truncated to 1000.
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Start timestamp: 2016-04-23 06:25:06 +0200
Verbose level: 6

Summary:
Total number of entries: 331957
Added entries: 329796
Removed entries: 0
Changed entries: 6

Also, AIDE does an update, not a check by default in the configuration
file. I had to put yes in the COPYNEWDB option.
I'll let you know in the following days how it's going on.

@Keith : I just used *apt-get install aide* to get AIDE on my debian jessie
8, nothing more. As Hannes said, the cron is part of this package but I
didn't know upstream AIDE doesn't contain a cron script.

Cordialement,

JÃ©rÃŽme LILLE | Responsable Agence
***@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

Post by Keith Constable

certain

Post by Keith Constable
applications of AIDE may not warrant such paranoia. It's up to you how

far

Post by Keith Constable
you want to take it.

Just out of curiosity, what are your methods to ensure the integrity of
the AIDE binary and the database?
Best regards
Hannes
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide

á§

LIJE Creative

2016-04-25 06:29:22 UTC

Permalink

Hi guys,

It's working better with the last tweaks I did on the cron conf file.
Thanks Keith and Hannes about that.

Also, I wanted to ask how to exclude folders with a wild card?
Currently, I got a lot of ispconfig websites and a lot of sessions files
generated in the /tmp/ folder of every websites.
I wanted to exclude these folders like that:

!/home/www/clients/client0/*/tmp/.*

But the wild card doesn't seem to work.

/home/www/clients/client0/web11/tmp/sess_8demipef935hpkklaop8ad0fr0
/home/www/clients/client0/web12/tmp/sess_878h8gq2gqnl9b4b424cqd35c3
/home/www/clients/client0/web12/tmp/sess_8aq7l3qbb22ff4n7nhjpvhg9v5
/home/www/clients/client0/web12/tmp/sess_8demipef935hpkklaop8ad0fr0
/home/www/clients/client0/web12/tmp/sess_8gnjb088jl6dskt1n9asakf9s3
/home/www/clients/client0/web12/tmp/sess_8l446hr5vhbmnk6lpj2nlke216
/home/www/clients/client0/web12/tmp/sess_8p51s15v8or8llh1cpb33760s6

are still beeing added to the database.
I want it to be dynamic if I add more websites.
I got 40+ wesites on this server. I don't want to add the 40 folders to
exclude.

Can you help?

Cordialement,

JÃ©rÃŽme LILLE | Responsable Agence
***@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

Post by LIJE Creative
Hi,
I tweaked /etc/default/aide as requested. The db seems to be copied now.
AIDE returned with exit code 5. Added and changed entries detected!
AIDE post run information
output database /var/lib/aide/aide.db.new was copied to
/var/lib/aide/aide.db as requested by cron job configuration
End of AIDE post run information
AIDE produced no errors.
Output is 329870 lines, truncated to 1000.
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Start timestamp: 2016-04-23 06:25:06 +0200
Verbose level: 6
Total number of entries: 331957
Added entries: 329796
Removed entries: 0
Changed entries: 6
Also, AIDE does an update, not a check by default in the configuration
file. I had to put yes in the COPYNEWDB option.
I'll let you know in the following days how it's going on.
@Keith : I just used *apt-get install aide* to get AIDE on my debian
jessie 8, nothing more. As Hannes said, the cron is part of this package
but I didn't know upstream AIDE doesn't contain a cron script.
Cordialement,
JÃ©rÃŽme LILLE | Responsable Agence
Site internet : www.lije-creative.com

Post by Keith Constable

Post by Keith Constable
I mentioned protecting the AIDE database and binaries because any

results

Post by Keith Constable
generated by AIDE are meaningless unless you can verify that an intruder
hasn't modified the binaries and database. That said, I understand

certain

Post by Keith Constable
applications of AIDE may not warrant such paranoia. It's up to you how

far

Post by Keith Constable
you want to take it.

á§

Hannes von Haugwitz

2016-04-22 17:00:28 UTC

Permalink

Hi,

Post by LIJE Creative
Do you know if there is a way to get only the list of newly added entries
(difference between the new and old database) and the changed entries?
Everyday, I'm getting these 330k new added entries so I can't check if
anything is messed up.

Looks like you are using the aide package from Debian/Ubuntu.

Please have a look at /etc/default/aide. In this file you can configure
the /etc/cron.daily/aide behaviour. Especially the MAIL and the
COPYNEWDB option may be of interest to you.

Best regards

Hannes

Continue reading on narkive:

Search results for '[Aide] Need help with AIDE configuration' (Questions and Answers)

replies

how to create a custom Linux distribution?

started 2011-06-02 12:51:16 UTC

software

replies

need help buying a pc..?

started 2010-07-03 12:18:18 UTC

desktops

replies

Pilots: Which is the best home flight sim equipment?