I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection. I have an aide0.12 binary for Slackware and it installed ok. It needs an aide.conf file...could someone post a sample for somebody fairly new to the server world? I installed Slackware 11 without an X session.

I got aide using yum on my Fedora Core box and it came with a sample aide.conf file:

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:/var/log/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S

# You can create custom rules like this.

NORMAL = R+b+sha1

DIR = p+i+n+u+g

# Next decide what directories/files you want in the database.

/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc p+i+u+g
!/etc/mtab
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL

/var/log p+n+u+g

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR

I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.

I just installed Slackware 11 on my server and haven't put it online yet. I want to first use a program like aide to create a baseline database for intrusion detection.
Ten bonus points for doing the right thing...


I got aide using yum on my Fedora Core box and it came with a sample aide.conf file (..) I then commented out the /etc files and made the directory /etc able to be checked with the other directories and the NORMAL rule.
As you can see the NORMAL rule WILL cause a lot of static when used on the contents of /etc because you'll be (re)configuring stuff and normal ops will change some stuff. So basically you want to do a "minimal" check as was offered in the default config:
and then add custom rules to tweak often changed files (these are just examples, OK):
Next to that some root directories aren't checked (/opt, /misc, /initrd): see if you want to include those. /tmp and /var/tmp and other dir contents aren't checked as well, and you will not want that because they will cause a lot of static as well, but being paranoid you might want to check the dir entries themselves:
* Note there's a lost+found on every partition.

Once the reconfig/update dust is settled and your server is production-ready run a check, add custom rules to your servers aide.conf and initialise the database. Finally make certain you stash a copy of the binary, all configs and databases off-site.

Thanks-that helps! I was thinking I need to refine my aide.conf and cut back on /etc like you mentioned since my old 200 MHz pc takes 45 minutes to an hour to do the aide --check.

hi all,

linuxhippy where do you put the aide.conf file for your slack 11? There is a sample config file in the readme.html, but they don't say where it goes.

edit: don't bother, I'm gonna md5 the drive and use a spreadsheet, AIDE is out of control, bye for now.

AIDE is out of control
Aide is well-tested, supported and actively maintained (new release was out a week ago). It is configurable and fast. It can check a lot of details which, especially on distributions with a rudimentary out of the box package management system like Slackware, can only be a good thing. Can't even compare your md5sum+spreadsheet "solution" with that.

removed not to confuse others. will have to revisit this.

ah, I realized I should've had = signs there and changed norm to normal.

wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL.

edit: came back and fixed my spelling. something is wierd with new firefox 2.0 for me, text get's garbled up.

ah, I realized I should've had = signs there and changed norm to normal.
I didn't see you edit your previous post to reflect local changes?


wow this scans fast, about 10 minutes on a virtual slackware guest in qemu. hope I ain't missing something LOL.
Apart from QEMU lag this can even be faster if you're more precise on what to check.


# Here are some recommended declaration's from unspawn/LQ
# He write's “As you can see the NORMAL rule WILL cause a
# lot of static when used on the contents of /etc because
# you'll be (re)configuring stuff and normal ops will change
# some stuff. So basically you want to do a "minimal" check
# as was offered in the default config”
Depends on how volatile the contents are and how exposed the box is (multiple admins, public accessable box). If it's just a few files, then strict checking should be done because it's easy to give only that few exceptions the lesser strict treatment. If you opt for overall "weak" checking of /etc, then I suggest you at least give these (and any other access and auth related files) the full check attribs:
/etc/passwd
/etc/group
/etc/gshadow
/etc/shadow
/etc/sudoers


# I suppose this is the master rule to apply to any/and or all
# files and folder's unless explicitly defined otherwise herein?
#Selection regexp rule
@@{TOPDIR}/.* Norm
May be personal, but I never used these. If you do it relies on declaration of
at the top of your aide.conf (you didn't post the whole config), then tune the other regex rules, because
!@@{TOPDIR}/.*~
I definately would want to know about edit leftovers in the root, and
!@@{TOPDIR}/src/.*\.o
I don't have any /src dir, let alone /src/*.o files.


/home$ DIR
Isn't the notation "=/home$"?


/sys
You don't scan /proc, but you do scan /sys.
Any particular reason why?


/var/log p+n+u+g
Recursive scan of /var/log, but no files are scanned with the "S" attribute.
Doesn't this give a load of alerts?

I keep my aide.conf, aide.db.gz, aide binary, and aide source on a read-only usb thumb drive. I then execute the binary off the usb and tell it that the conf is on the /mnt/sda1/aide directory on my thumb drive. It writes the new db file and log file on my harddrive which I then move to my thumb drive once it is writable. I then remove the thumb drive from my pc so that intruders wouldn't know what directories on my pc are being checked. I should burn the db file on a cd I'd imagine.

Hello Gent's,

Thank you for the replies.

@unspawn:
I was merely guessing (cuz I am not really well versed) that I would encounter long scans of the /proc and /dev directories like I did when I tried using the find command and checksum that way w/a slax live cd.

We spoke about this here:
http://www.linuxquestions.org/questi...p?t=491396#top

I had said:
It was able to get thru the /proc directory now that I wasn't actually running linux. It md5sum every file. Wow I never saw an 80 gig text file before LOL.

to which you had said :Its a waste of time to hash /proc and /dev contents.

So I was kind of interpreting that to mean that even with AIDE I might have the same issue, so I was leaving it out. as well, I really don't know what I'm doing ...but I'm trying :D

Ok I will add them in and make the other corrections you shown there, and then make a new database and rescan and see then post my configuration.

I'm really shooting to just make this for a typical home user baseline setup and I actually would like to submit it to LQ for newcomer's like myself .

Thank you alot unspawn I really really appreciate your help here.

@linuxhippy: I actually had to dig out a camera flash card I didnt realize that an un gzipped db was going to be 28 meg for a "full-noob install" of slackware. IIlater gzipped it using cli interfacae and it dropped down to about 8 meg. I wonder if AIDE supports bzip that might be even samaller. think your idea of the cd to have the binary, the manuals, source install tarballs is a good idea. I think I'm going to build this as 'static' and burn that way.

ps..gosh this firefox 2.0 with typping textt s brutal :( I gotta a put back in my old version. it most certainly is not 'wysiwig'

I really don't know what I'm doing ...but I'm trying
Oh well, you're doing great.


I wonder if AIDE supports bzip that might be even samaller.
Just add a request on Aide's SF tracker (http://sourceforge.net/tracker/?grou...76&atid=581582) or the SF Aide-devel mailinglist. The developers are exceptionally friendly and professional.

OKAY! Here Is My Work In Progress :D
 

edited, a few months later not really liking what I have removed not to confuse others.

Hi all,

Just an update and question.

The previous post I made seems to be pretty nice for my needs.

In my /mnt on one computer I have two partitions, that are solely for data from users. What would be a good check on that? I thought it was pretty neat the above caught the fact that I plugged in my thumbdrive doo hickey too.

Are there any recommendations for applications like rkhunter's database? Not sure how I would address that one either.

thank you in advnace :D