Discussion:
[Aide] Implementation and configuration question.
Dave Shevett
2013-05-21 20:21:47 UTC
Permalink
Hi folks, after working with tripwire for a while, I was hoping to use
aide as a new system for trapping changes to hosts.

Our primary goal is less 'intrustion detection' but more 'change
management'. We want to know when one of our admins (or someone else)
makes a change to a system. The operations team will be notified that
such and such file was changed or updated.

The problem is i'm having a hard time understanding the configuration
mechanism in aide. The documention is... lacking, unfortunately.

For instance:

1) Running the cron.daily script for aide is terrifying. It's 705 lines
of very dense shell script, and I'm not really sure how different it is
than a single cron line that says aide --check

2) I want aide to rebuild and place the database after each check. One
warning sent to root@ that such ans such files are changed, and then the
database is reset. I can't use the same filename in /etc/aide/aide.conf
for database, database_out, and database_new (it throws a warning). So
how do I say "Run against the current db, when done, put the new db in
place of the old one"? --update doesn't seem to do anything.
Consecutive runs of --update show the same information.

3) There's an option buried in the daily cron job called COPYNEWDB, but
there's no indication where this option is set or how to set it.

aide comes close to being a very useful tool, but I'm finding the
implementation very difficult to understand, and it strikes me as overly
complex. If I can get these basic operations going, I'll probably
implement it. Am i missing some basic concept?

-d
Richard van den Berg
2013-05-22 09:46:32 UTC
Permalink
Hello Dave,
Post by Dave Shevett
1) Running the cron.daily script for aide is terrifying. It's 705 lines
of very dense shell script, and I'm not really sure how different it is
than a single cron line that says aide --check
Aide does not ship with a cron.daily script. Most likely this is provided by your Linux distribution. You should request support for this script there. Did you read their documentation for example in /usr/share/doc ?
Post by Dave Shevett
2) I want aide to rebuild and place the database after each check. One
database is reset. I can't use the same filename in /etc/aide/aide.conf
for database, database_out, and database_new (it throws a warning). So
how do I say "Run against the current db, when done, put the new db in
place of the old one"? --update doesn't seem to do anything.
Consecutive runs of --update show the same information.
See http://www.cs.tut.fi/~rammer/aide/manual.html#usage
Post by Dave Shevett
3) There's an option buried in the daily cron job called COPYNEWDB, but
there's no indication where this option is set or how to set it.
See my answer to 1).
Post by Dave Shevett
aide comes close to being a very useful tool, but I'm finding the
implementation very difficult to understand, and it strikes me as overly
complex.
Again, see my answer to 1).
Post by Dave Shevett
If I can get these basic operations going, I'll probably
implement it. Am i missing some basic concept?
Which parts of http://www.cs.tut.fi/~rammer/aide/manual.html specifically do you have questions about?

Kind regards,

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130522/c565acaa/attachment.html
Dave Shevett
2013-05-22 14:05:11 UTC
Permalink
Post by Richard van den Berg
Aide does not ship with a cron.daily script. Most likely this is
provided by your Linux distribution. You should request support for
this script there. Did you read their documentation for example in
/usr/share/doc ?
That really has very little information in it....
dshevett at inf-3:/usr/share/doc/aide$ ls -l
total 12
-rw-r--r-- 1 root root 3366 Jan 9 2012 changelog.Debian.gz
-rw-r--r-- 1 root root 3364 Jan 9 2012 copyright
-rw-r--r-- 1 root root 3669 Jan 9 2012 NEWS.Debian.gz

I'm still having a hard time finding out information about this cron
script though. :(

For the record, I'm using Ubuntu Precise, the package details are here;
http://packages.ubuntu.com/precise/aide-common
(this appears to be where the cron.daily script came from. I'm going to
contact the maintainers there as well, but I don't have a lot of hope).
Post by Richard van den Berg
Post by Dave Shevett
2) I want aide to rebuild and place the database after each check. One
database is reset. I can't use the same filename in /etc/aide/aide.conf
for database, database_out, and database_new (it throws a warning). So
how do I say "Run against the current db, when done, put the new db in
place of the old one"? --update doesn't seem to do anything.
Consecutive runs of --update show the same information.
See http://www.cs.tut.fi/~rammer/aide/manual.html#usage
<http://www.cs.tut.fi/%7Erammer/aide/manual.html#usage>
The documentation there (which I've read, btw), I believe is pushing
aide into a usage model that is different from what I want to do. For
example:

"There is usually some drift in the databases. What I mean by drift is
that new files are created, config files of applications are edited,
tons of small changes pile up until the report becomes unreadable. This
can be avoided by updating the database once in a while. I myself run
the update every night. But, I don't replace the input database nearly
as often. The replacement of the input datbase should always be a manual
operation. This should not be automated."

If there is drift, how can this be an effective tripwire? I want to
know immediately if a file has changed on a target system. Once that
report is sent to me, I want the database reset. If implemented this
way, if the change that has happened is innocuous (someone goes into a
host and makes a config change), then there's no further work to be
done. Delete the email and move on. As I understand the docs, there is
no way to do this without manually moving the files around each time.
Am I understanding this correctly?
Post by Richard van den Berg
If I can get these basic operations going, I'll probably
Post by Dave Shevett
implement it. Am i missing some basic concept?
Which parts of http://www.cs.tut.fi/~rammer/aide/manual.html
<http://www.cs.tut.fi/%7Erammer/aide/manual.html> specifically do you
have questions about?
See my answer to #2 :)

-d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130522/16e33a58/attachment.html
Richard van den Berg
2013-05-22 18:14:37 UTC
Permalink
As I understand the docs, there is no way to do this without manually moving the files around each time. Am I understanding this correctly?
Absolutely. Aide expects manual inspection of it's output, and the manual installation of a new database when the output warrants it. However, it is easy to automate this with a script.

Richard
Shirkdog
2013-05-22 18:28:32 UTC
Permalink
Easy to automate and alert into any log management system.

---
Michael Shirk


On Wed, May 22, 2013 at 2:14 PM, Richard van den Berg
Post by Richard van den Berg
As I understand the docs, there is no way to do this without manually moving the files around each time. Am I understanding this correctly?
Absolutely. Aide expects manual inspection of it's output, and the manual installation of a new database when the output warrants it. However, it is easy to automate this with a script.
Richard
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Phil Oesch
2013-05-24 17:59:11 UTC
Permalink
Post by Shirkdog
Easy to automate and alert into any log management system.
Speaking of it, has someone already automated this via Splunk? I am
using a proprietary, aging web frontend to monitor some systems with
AIDE, now thinking about pimping that...

Thanks y'all very much!

Phil
--
Phil Oesch <lip at trash.net>
38 11 95 7F 0E 0B DB A1 A7 7A 43 EC E8 E1 F9 03
Keith Constable
2013-05-24 18:54:14 UTC
Permalink
On May 24, 2013, at 2:01 PM, Phil Oesch <lip at trash.net> wrote:

On Wed, May 22, 2013 at 02:28:32PM -0400, Shirkdog wrote:

Easy to automate and alert into any log management system.


Speaking of it, has someone already automated this via Splunk? I am
using a proprietary, aging web frontend to monitor some systems with
AIDE, now thinking about pimping that...

Thanks y'all very much!

Phil
--
Phil Oesch <lip at trash.net>
38 11 95 7F 0E 0B DB A1 A7 7A 43 EC E8 E1 F9 03
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide


A cursory search suggests
http://splunk-base.splunk.com/apps/22366/pci-app-creative-commons-version

Regards,

Keith Constable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130524/0c0f0d5d/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2760 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20130524/0c0f0d5d/attachment.bin
Phil Oesch
2013-05-24 19:19:51 UTC
Permalink
Post by Keith Constable
A cursory search suggests
http://splunk-base.splunk.com/apps/22366/pci-app-creative-commons-version
Regards,
Keith Constable
Thanks Kevin, very nice, will have a deep look into it ;-)

Best regards
Phil

Loading...