[Aide] Questions

Discussion:

[Aide] Questions

Manav Nagla

2016-08-15 20:15:08 UTC

Hello,

Can someone please help me to answer these questions.

*Requirement:*
I have a important file which should not be altered, modified, copied, or
read by any user. It has to be read by only script (non-interactive) user.

Will this tool be a perfect match to monitor only that particular file in
Linux ?

1) Can I get alerts when the file is read by other user ?
2) Can I get alerts when the file is copied ?
3) Can I get alerts when the file is modified ?
4) How can I set monitoring capabilities around only 1 file ?
5) Will this tool help me to perform all such actions I'm thinking of ?

Thanks in advance,

Thanks,
MN

--
Thanks,
Manav Nagla,
Information Security Solutions,

*Motorola Solutions, Inc.,*
P: 847-380-0009
E: ***@motorolasolutions.com

Manav Nagla

2016-08-15 22:19:30 UTC

Permalink

Thank you :-)

On Mon, Aug 15, 2016 at 5:16 PM Brian Mathis <

You might be able to accomplish some of your alerts using AIDE (not read
alert, maybe copy alert, yes modified alert), but AIDE will only alert you
after the damage is already done, which probably isn't what you want. You
should actively prevent anyone from accessing the file by using proper
permissions, user/group ownership, and possibly extended acls. Incron
might also help you get a level of immediate alerting whenever an action is
performed on the file. You won't be able to stop 'root' from reading the
file no matter what.
~ Brian Mathis
@orev
On Mon, Aug 15, 2016 at 4:15 PM, Manav Nagla <

Post by Manav Nagla
Hello,
Can someone please help me to answer these questions.
*Requirement:*
I have a important file which should not be altered, modified, copied, or
read by any user. It has to be read by only script (non-interactive) user.
Will this tool be a perfect match to monitor only that particular file in
Linux ?
1) Can I get alerts when the file is read by other user ?
2) Can I get alerts when the file is copied ?
3) Can I get alerts when the file is modified ?
4) How can I set monitoring capabilities around only 1 file ?
5) Will this tool help me to perform all such actions I'm thinking of ?
Thanks in advance,
Thanks,
MN
--
Thanks,
Manav Nagla,
Information Security Solutions,
*Motorola Solutions, Inc.,*
P: 847-380-0009
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.cs.tut.fi_mailman_listinfo_aide&d=DQMFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=k9xfUYnolAI6PoGpSHgL2NEStP9CvLTq9U5XfzfG_fozM_qhP4gxHiIc0FeF2JHq&m=xSVzFf4dSNxvIZuv2cjT3EGgLBWP5mr6Z8CnGSTaAJo&s=VcmMJFzqLIsh-7yOzVCTNqNAvYsmumbXVwR_OJuyuFE&e=>

_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide

--
Thanks,
Manav Nagla,
Information Security Solutions,

*Motorola Solutions, Inc.,*
P: 847-380-0009
E: ***@motorolasolutions.com

Bowie Bailey

2016-08-16 13:13:07 UTC

Permalink

Post by Manav Nagla
1) Can I get alerts when the file is read by other user ?

Maybe. By default, linux filesystems only update the access time under
certain circumstances (see the mount option "relatime"). You may be
able to get consistent updates with the "strictatime" option, but that
will have a performance impact on the filesystem.

Post by Manav Nagla
2) Can I get alerts when the file is copied ?

Copying the file should also update the atime (see above). Aide might
also give you notice of the new file if it is set up to monitor the
directory it was copied to.

Post by Manav Nagla
3) Can I get alerts when the file is modified ?

Yes.

Post by Manav Nagla
4) How can I set monitoring capabilities around only 1 file ?

Specify the one file in the config file and exclude everything else.

Post by Manav Nagla
5) Will this tool help me to perform all such actions I'm thinking of ?

Maybe, but you are better off putting strict access controls on the
file. The simplest option is to have your script run as a particular
user that is not used for anything else. You can then chown the file to
that user and set permissions so that only the owner can read it.

--
Bowie

Tom Geissler

2016-09-21 16:29:48 UTC

Permalink

Post by Manav Nagla
Can someone please help me to answer these questions.
*Requirement:*
I have a important file which should not be altered, modified, copied, or
read by any user. It has to be read by only script (non-interactive) user.
Will this tool be a perfect match to monitor only that particular file in
Linux ?
1) Can I get alerts when the file is read by other user ?
2) Can I get alerts when the file is copied ?
3) Can I get alerts when the file is modified ?
4) How can I set monitoring capabilities around only 1 file ?
5) Will this tool help me to perform all such actions I'm thinking of ?

Hello,

a little bit late but the Linux Light-weight Auditing Framework could be
the solution.

--
Tom