Discussion:
[Aide] Aide init
ncalsmitty1369
2012-10-22 23:12:29 UTC
Permalink
Hi,

I am having a problem initializing my aide installation on a xen Debian
squeeze domU. I have installed and configured aide many times across debian
etch/lenny/squeeze and have not had the problem detailed below. However,
this is my first aide install on a xen vm. I found one reference to a
similar situation in the aide user list archives, found here:
https://mailman.cs.tut.fi/pipermail/aide/2011-October/001245.html . I read
through the Debian documentation but ultimately didn't find anything to
help me. I have looked for help on a Debian specific mailing list, but
found no takers. I am hoping that someone here can point me in the right
direction to get this problem resolved.

Thanks.

Details of the problem:

KERNEL AND PACKAGES INSTALLED:

Linux turing 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64
GNU/Linux
aide-xen/squeeze uptodate 0.15.1-2+squeeze1, aide-common/squeeze uptodate
0.15.1-2+squeeze1

AIDE.CONF:

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.out
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
report_url=file:/work/logs/aide/report.txt
summarize_changes=no
grouped=yes
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
OwnerMode = p+u+g+ftype
Size = s+b
InodeData = OwnerMode+n+i+Size+l+acl+xattrs+e2fsattrs+selinux
StaticFile = m+c+Checksums
RamdiskData = InodeData-i
Full = InodeData+StaticFile
VarTime = InodeData+Checksums
VarInode = VarTime-i
VarFile = OwnerMode+n+l+acl+xattrs+e2fsattrs+selinux
VarDir = OwnerMode+n+i+acl+xattrs+e2fsattrs+selinux
VarDirInode = OwnerMode+n+acl+xattrs+e2fsattrs+selinux
VarDirTime = InodeData
Log = OwnerMode+n+S+acl+xattrs+e2fsattrs+selinux
FreqRotLog = Log-S
LowLog = Log-S
SerMemberLog = Full+I
LoSerMemberLog = SerMemberLog+ANF
HiSerMemberLog = SerMemberLog+ARF
LowDELog = SerMemberLog+ANF+ARF
SerMemberDELog = Full+ANF
LinkedLog = Log-n

INIT:

root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --init
Setting verbosity to 255
commandconf():@@include /etc/aide/aide.conf

1:@@include
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out"
"/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.out initialized.

report out:

db_init 2
Opening file "/var/lib/aide/aide.db.out" for w+
Opened file "/var/lib/aide/aide.db.out" with fd=3
db_out is nonnull /var/lib/aide/aide.db.out
decode base64
db_init 256
/ match=0, tree=0x1aaa5c0, attr=0
/usr match=0, tree=0x1aaa5c0, attr=0
/opt match=0, tree=0x1aaa5c0, attr=0
/var match=0, tree=0x1aaa5c0, attr=0
/lost+found match=0, tree=0x1aaa5c0, attr=0
/initrd.img match=0, tree=0x1aaa5c0, attr=0
/lib64 match=0, tree=0x1aaa5c0, attr=0
/work match=0, tree=0x1aaa5c0, attr=0
/proc match=0, tree=0x1aaa5c0, attr=0
/smbmnt match=0, tree=0x1aaa5c0, attr=0
/tmp match=0, tree=0x1aaa5c0, attr=0
/root match=0, tree=0x1aaa5c0, attr=0
/export match=0, tree=0x1aaa5c0, attr=0
/dev match=0, tree=0x1aaa5c0, attr=0
/home match=0, tree=0x1aaa5c0, attr=0
/bin match=0, tree=0x1aaa5c0, attr=0
/sbin match=0, tree=0x1aaa5c0, attr=0

CREATE AIDE.DB:

root at turing:/var/lib/aide# cp aide.db.out aide.db

UPDATE:

root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --update
Setting verbosity to 255
commandconf():@@include /etc/aide/aide.conf

1:@@include
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out"
"/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"

report out:

db_init 2
Opening file "/var/lib/aide/aide.db.out" for w+
Opened file "/var/lib/aide/aide.db.out" with fd=3
db_out is nonnull /var/lib/aide/aide.db.out
decode base64
db_init 256
db_init 1
Opening file "/var/lib/aide/aide.db" for r
Opened file "/var/lib/aide/aide.db" with fd=6
db_in is nonnull
Got Gzip header. Handling..
First character after gzip header is: @(0X40)
nread=120,strlen(buf)=120,errno=Success,gzerr=<fd:6>: stream end
decode base64
name
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database

CHECK:

root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --check
Setting verbosity to 255
commandconf():@@include /etc/aide/aide.conf

1:@@include
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out"
"/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"

report out:

db_init 256
db_init 1
Opening file "/var/lib/aide/aide.db" for r
Opened file "/var/lib/aide/aide.db" with fd=5
db_in is nonnull
Got Gzip header. Handling..
First character after gzip header is: @(0X40)
nread=120,strlen(buf)=120,errno=Success,gzerr=<fd:5>: stream end
decode base64
name
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/44931ea2/attachment-0001.html
Keith Constable
2012-10-22 23:26:55 UTC
Permalink
Hi,
I am having a problem initializing my aide installation on a xen Debian squeeze domU. I have installed and configured aide many times across debian etch/lenny/squeeze and have not had the problem detailed below. However, this is my first aide install on a xen vm. I found one reference to a similar situation in the aide user list archives, found here: https://mailman.cs.tut.fi/pipermail/aide/2011-October/001245.html . I read through the Debian documentation but ultimately didn't find anything to help me. I have looked for help on a Debian specific mailing list, but found no takers. I am hoping that someone here can point me in the right direction to get this problem resolved.
Thanks.
Linux turing 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
aide-xen/squeeze uptodate 0.15.1-2+squeeze1, aide-common/squeeze uptodate 0.15.1-2+squeeze1
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.out
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
report_url=file:/work/logs/aide/report.txt
summarize_changes=no
grouped=yes
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
OwnerMode = p+u+g+ftype
Size = s+b
InodeData = OwnerMode+n+i+Size+l+acl+xattrs+e2fsattrs+selinux
StaticFile = m+c+Checksums
RamdiskData = InodeData-i
Full = InodeData+StaticFile
VarTime = InodeData+Checksums
VarInode = VarTime-i
VarFile = OwnerMode+n+l+acl+xattrs+e2fsattrs+selinux
VarDir = OwnerMode+n+i+acl+xattrs+e2fsattrs+selinux
VarDirInode = OwnerMode+n+acl+xattrs+e2fsattrs+selinux
VarDirTime = InodeData
Log = OwnerMode+n+S+acl+xattrs+e2fsattrs+selinux
FreqRotLog = Log-S
LowLog = Log-S
SerMemberLog = Full+I
LoSerMemberLog = SerMemberLog+ANF
HiSerMemberLog = SerMemberLog+ARF
LowDELog = SerMemberLog+ANF+ARF
SerMemberDELog = Full+ANF
LinkedLog = Log-n
root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --init
Setting verbosity to 255
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out" "/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.out initialized.
db_init 2
Opening file "/var/lib/aide/aide.db.out" for w+
Opened file "/var/lib/aide/aide.db.out" with fd=3
db_out is nonnull /var/lib/aide/aide.db.out
decode base64
db_init 256
/ match=0, tree=0x1aaa5c0, attr=0
/usr match=0, tree=0x1aaa5c0, attr=0
/opt match=0, tree=0x1aaa5c0, attr=0
/var match=0, tree=0x1aaa5c0, attr=0
/lost+found match=0, tree=0x1aaa5c0, attr=0
/initrd.img match=0, tree=0x1aaa5c0, attr=0
/lib64 match=0, tree=0x1aaa5c0, attr=0
/work match=0, tree=0x1aaa5c0, attr=0
/proc match=0, tree=0x1aaa5c0, attr=0
/smbmnt match=0, tree=0x1aaa5c0, attr=0
/tmp match=0, tree=0x1aaa5c0, attr=0
/root match=0, tree=0x1aaa5c0, attr=0
/export match=0, tree=0x1aaa5c0, attr=0
/dev match=0, tree=0x1aaa5c0, attr=0
/home match=0, tree=0x1aaa5c0, attr=0
/bin match=0, tree=0x1aaa5c0, attr=0
/sbin match=0, tree=0x1aaa5c0, attr=0
root at turing:/var/lib/aide# cp aide.db.out aide.db
root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --update
Setting verbosity to 255
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out" "/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"
db_init 2
Opening file "/var/lib/aide/aide.db.out" for w+
Opened file "/var/lib/aide/aide.db.out" with fd=3
db_out is nonnull /var/lib/aide/aide.db.out
decode base64
db_init 256
db_init 1
Opening file "/var/lib/aide/aide.db" for r
Opened file "/var/lib/aide/aide.db" with fd=6
db_in is nonnull
Got Gzip header. Handling..
nread=120,strlen(buf)=120,errno=Success,gzerr=<fd:6>: stream end
decode base64
name
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database
root at turing:/etc/aide# aide -V255 --config=/etc/aide/aide.conf --check
Setting verbosity to 255
9:database =
do_dbdef (1) called with (file:/var/lib/aide/aide.db)
10:database_out =
do_dbdef (2) called with (file:/var/lib/aide/aide.db.out)
Output database set to "file:/var/lib/aide/aide.db.out" "/var/lib/aide/aide.db.out"
11:database_new =
do_dbdef (4) called with (file:/var/lib/aide/aide.db.new)
12:gzip_dbout =
13:report_url =
WARNING: Debug output enabled
Opening file "/work/logs/aide/report.txt" for w+
Opened file "/work/logs/aide/report.txt" with fd=4
17:summarize_changes =
20:grouped =
25:Equrule
28:Equrule
31:Equrule
34:Equrule
35:Equrule
39:Equrule
42:Equrule
45:Equrule
48:Equrule
51:Equrule
54:Equrule
57:Equrule
60:Equrule
150:Equrule
153:Equrule
157:Equrule
160:Equrule
164:Equrule
168:Equrule
173:Equrule
177:Equrule
181:Equrule
tree: "/"
db_init 256
db_init 1
Opening file "/var/lib/aide/aide.db" for r
Opened file "/var/lib/aide/aide.db" with fd=5
db_in is nonnull
Got Gzip header. Handling..
nread=120,strlen(buf)=120,errno=Success,gzerr=<fd:5>: stream end
decode base64
name
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Smitty,

Unless I'm misunderstanding something about aide or your intentions, your aide.conf is missing a match rule.

Regards,

Keith



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/8a4b8c31/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4352 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/8a4b8c31/attachment.bin
ncalsmitty1369
2012-10-23 00:26:07 UTC
Permalink
Post by Keith Constable
Smitty,
Unless I'm misunderstanding something about aide or your intentions, your aide.conf is missing a match rule.
Regards,
Keith
Hi Keith,

On Debian boxes there is a directory called /etc/aide/aide.conf.d.
That directory contains files that have
match rules based on many different services. On Squeeze boxes, I have
created the aide.db via "aide -c

aide.con -i". Copied the aide.db.new file to aide.db and then run the
Debian /etc/cron.daily/aide script.
The script reads in the /etc/aide.conf file and incorporates the rule
files found in aide.conf.d. It then

creates a file named aide.conf.autogenerated and places it in the
directory /var/lib/aide. Which is where
the aide.db file is kept. This is the same process that I used on
another Debian Squeeze box, non xen domU,
which worked without issues.

Did I understand your suggestion correctly? I am definitely open to
more if it helps resolve the problem!

Thanks,

Smitty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/5875a646/attachment.html
Keith Constable
2012-10-23 01:36:20 UTC
Permalink
Post by ncalsmitty1369
Hi Keith,
On Debian boxes there is a directory called /etc/aide/aide.conf.d. That directory contains files that have
match rules based on many different services. On Squeeze boxes, I have created the aide.db via "aide -c
aide.con -i". Copied the aide.db.new file to aide.db and then run the Debian /etc/cron.daily/aide script.
The script reads in the /etc/aide.conf file and incorporates the rule files found in aide.conf.d. It then
creates a file named aide.conf.autogenerated and places it in the directory /var/lib/aide. Which is where
the aide.db file is kept. This is the same process that I used on another Debian Squeeze box, non xen domU,
which worked without issues.
Did I understand your suggestion correctly? I am definitely open to more if it helps resolve the problem!
Smitty,

There are a few things to note in this process. In the logs that you pasted, you see that it looks through your filesystem and gives you information like:

/bin match=0, tree=0x1aaa5c0, attr=0

Note that "match=0". This means that aide took a look at the /bin directory, decided it didn't match any of the config rules, and did not add it to the database. You would normally expect a lot of noise from the -V255 argument, including some lines that contain "match=1".

In your procedure, you say that you start the process by generating the DB by running:

aide -c aide.con -i

I'll assume that's a typo, and that you meant "aide.conf". Since you haven't run the cron script yet, I'll also assume you are referring to /etc/aide/aide.conf. Unless you've modified /etc/aide/aide.conf, the database you just initialized is now empty, since the default config doesn't contain any rules to match on. You may be getting those errors because the database is empty.

Now, I am not familiar with Debian's system for aide, so all of this is educated speculation. However, it seems to me that you should be generating aide.conf.autogenerated first, then initializing the database with that new autogenerated config file.

Also, it's worth noting that squeeze provides an aide-xen package. However, I have never used Xen, so I don't know how that package fits into the process, if at all.

I apologize if I'm completely off the mark.

Regards,

Keith Constable



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4352 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/a6a5a06d/attachment-0001.bin
Keith Constable
2012-10-23 01:45:44 UTC
Permalink
Post by Keith Constable
Post by ncalsmitty1369
Hi Keith,
On Debian boxes there is a directory called /etc/aide/aide.conf.d. That directory contains files that have
match rules based on many different services. On Squeeze boxes, I have created the aide.db via "aide -c
aide.con -i". Copied the aide.db.new file to aide.db and then run the Debian /etc/cron.daily/aide script.
The script reads in the /etc/aide.conf file and incorporates the rule files found in aide.conf.d. It then
creates a file named aide.conf.autogenerated and places it in the directory /var/lib/aide. Which is where
the aide.db file is kept. This is the same process that I used on another Debian Squeeze box, non xen domU,
which worked without issues.
Did I understand your suggestion correctly? I am definitely open to more if it helps resolve the problem!
Smitty,
/bin match=0, tree=0x1aaa5c0, attr=0
Note that "match=0". This means that aide took a look at the /bin directory, decided it didn't match any of the config rules, and did not add it to the database. You would normally expect a lot of noise from the -V255 argument, including some lines that contain "match=1".
aide -c aide.con -i
I'll assume that's a typo, and that you meant "aide.conf". Since you haven't run the cron script yet, I'll also assume you are referring to /etc/aide/aide.conf. Unless you've modified /etc/aide/aide.conf, the database you just initialized is now empty, since the default config doesn't contain any rules to match on. You may be getting those errors because the database is empty.
Now, I am not familiar with Debian's system for aide, so all of this is educated speculation. However, it seems to me that you should be generating aide.conf.autogenerated first, then initializing the database with that new autogenerated config file.
Also, it's worth noting that squeeze provides an aide-xen package. However, I have never used Xen, so I don't know how that package fits into the process, if at all.
I apologize if I'm completely off the mark.
Regards,
Keith Constable
It may also be worth noting that Debian provides a helpful "aideinit" command that moves the databases and uses the correct config file automatically.

-Keith



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4352 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/f2eccec8/attachment.bin
ncalsmitty1369
2012-10-23 02:16:24 UTC
Permalink
Post by Keith Constable
It may also be worth noting that Debian provides a helpful "aideinit"
command that moves the databases and uses the correct config >file
automatically.
Post by Keith Constable
-Keith
Hi Keith,

Thank you for enlightening me about the match rules and on how to read the
verbose init command output. What you said made a lot of sense, but I just
couldn't understand why the method I used on a practically identical
install (other than it being a xen vm) kept failing. Your suggestion about
the aideinit command is what finally got it to work! I will have to look at
how that command works, and hopefully that will show me what is missing in
my manual process.

I really appreciate your time, suggestions, and ultimate solution.

Thanks,

Smitty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/2fdd14ae/attachment.html
Loading...