LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Aide Detects Added New File Incorrectly (https://www.linuxquestions.org/questions/linux-security-4/aide-detects-added-new-file-incorrectly-4175428377/)

dman777 09-21-2012 08:44 AM
Aide Detects Added New File Incorrectly
 
Why is aide detecting these cron directories as added and new? I added them before I created/initialized the aide database.

Code:
webserver ~ # lr
total 32K
drwx------  2 root root 4.0K Sep 21 13:18 .
drwxr-xr-x 21 root root 4.0K Sep 19 04:47 ..
-rw-------  1 root root 9.9K Sep 21 01:36 .bash_history
-rw-r--r--  1 root root    0 Jun 20 21:45 .keep
-rw-------  1 root root  48 Sep 21 01:24 .lesshst
-rw-------  1 root root 5.9K Sep 21 13:03 .viminfo
webserver ~ # lr /var/spool/cron/lastrun/cron.weekly
-rw-r--r-- 1 root root 0 Sep 21 03:40 /var/spool/cron/lastrun/cron.weekly
webserver ~ # date
Fri Sep 21 13:18:46 CDT 2012
webserver ~ # aide -i && cp aide.db.new aide.db && aide

AIDE, version 0.14.2

### AIDE database at /root/aide.db.new initialized.

AIDE found differences between database and filesystem!!
Start timestamp: 2012-09-21 13:20:10

Summary:
  Total number of files:        324705
  Added files:                        6
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/spool/cron/lastrun/cron.weekly
added: /var/spool/cron/lastrun/cron.monthly
added: /var/spool/cron/lastrun/.keep_sys-process_cronbase-0
added: /var/spool/cron/lastrun/cron.hourly
added: /var/spool/cron/lastrun/cron.daily
added: /etc/udev/rules.d/.keep_sys-fs_udev-0

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


Directory: /root
  Mtime    : 2012-09-21 13:18:57              , 2012-09-21 13:20:10
  Ctime    : 2012-09-21 13:18:57              , 2012-09-21 13:20:10
webserver ~ #
Code:
webserver ~ # cat /etc/aide/aide.conf
# AIDE conf

database=file:/root/aide.db
database_out=file:/root/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:  sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#haval:        haval checksum
#gost:          gost checksum
#crc32:        crc32 checksum

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
All = p+i+n+u+g+s+b+m+c+md5+sha1
NoModTime = p+i+n+u+g+s+b+md5+sha1

/ All
/run n+u+g
=/var$ NoModTime
=/var/lib$ NoModTime
=/var/mlocate$ NoModTime
=/var/lib/misc$ NoModTime
=/var/lib/misc/random-seed$ NoModTime
=/var/lib/iptables/rules-save$ NoModTime
=/var/spool/cron/lastrun$ NoModTime
=/etc$ NoModTime
=/etc/udev/rules.d$ NoModTime
=/etc/mtab$ NoModTime
/tmp NoModTime


!/var/log$
!/home/one/.bash_history$
!/home/one/.bash_logout$
!/root/.bash_history$
!/root/.bash_logout$
!/home/one/to_go.tar$
!/var/lib/mlocate/mlocate.db$
!/proc$
!/dev$
!/sys$
!/root/aide.db$
!/root/aide.db.new$
!/root/.viminfo$

unSpawn 09-22-2012 12:01 PM
Quote:
Originally Posted by dman777 (Post 4785817)
Why is aide detecting these cron directories as added and new?
AFAIK because you set a specific rule for directory /var/spool/cron/lastrun but none for files underneath.

dman777 09-22-2012 01:10 PM
Thank you for your reply, Aide isn't to popular and I am having trouble getting answers.

The /var/spool/cron/lastrun/ is to say "do all the attributes but don't do modification or ctime checks of this one directory(does not apply to children)). My problem is that the files underneath /var/spool/cron/lastrun/ already existed before I ran aide -i(initialized) but yet the newly initialized database doesn't contain them. Then when I run a check using that database to verify against, it finds the new files and reports them. This is even more confusing because it is using the same config/attributes as when the database was created.

unSpawn 09-22-2012 01:47 PM
Quote:
Originally Posted by dman777 (Post 4786672)
Thank you for your reply, Aide isn't to popular and I am having trouble getting answers.
You're welcome. If you don't get any answers here then there's always the aide users mailing list.


Quote:
Originally Posted by dman777 (Post 4786672)
My problem is that the files underneath /var/spool/cron/lastrun/ already existed before I ran aide -i(initialized) but yet the newly initialized database doesn't contain them. Then when I run a check using that database to verify against, it finds the new files and reports them. This is even more confusing because it is using the same config/attributes as when the database was created.
Indeed, now you've explained it again that is odd. What does running --update, then not copying over the database and then running --compare show? Before you do please check if your default verbosity level is at 5 or over or else it may not report much I think.

dman777 09-24-2012 01:30 PM
I tried the above recommendations but still same outcome. However, I couldn't get compare to work:



Code:
webserver ~ # lr
total 32M
drwx------  2 root root 4.0K Sep 24 18:09 .
drwxr-xr-x 22 root root 4.0K Sep 24 04:16 ..
-rw-------  1 root root  17K Sep 24 08:45 .bash_history
-rw-r--r--  1 root root    0 Jun 20 21:45 .keep
-rw-------  1 root root  48 Sep 21 01:24 .lesshst
-rw-------  1 root root 9.5K Sep 24 07:11 .viminfo
-rw-------  1 root root  16M Sep 24 18:09 aide.db
-rw-------  1 root root  16M Sep 24 18:15 aide.db.new
webserver ~ # date
Mon Sep 24 18:21:01 CDT 2012
webserver ~ # aide --compare aide.db aide.db
Extra parameters given
webserver ~ # aide --compare aide.db       
Extra parameters given
webserver ~ # aide --help
Aide 0.14.2

Usage: aide [options] command

Commands:
  -i, --init                Initialize the database
  -C, --check                Check the database
  -u, --update                Check and update the database non-interactively
      --compare                Compare two databases

Miscellaneous:
  -D, --config-check        Test the configuration file
  -v, --version                Show version of AIDE and compilation options
  -h, --help                Show this help message

Options:
  -c [cfgfile]        --config=[cfgfile]        Get config options from [cfgfile]
  -B "OPTION"        --before="OPTION"        Before configuration file is read define OPTION
  -A "OPTION"        --after="OPTION"        After configuration file is read define OPTION
  -r [reporter]        --report=[reporter]        Write report output to [reporter] url
  -V[level]        --verbose=[level]        Set debug message level to [level]

webserver ~ # aide --compare aide.db aide.db
aide.db      aide.db.new 
webserver ~ # aide --compare aide.db aide.db.new
Extra parameters given
webserver ~ # aide --compare  aide.db.new
Extra parameters given
webserver ~ # aide --compare             
Must have both input databases defined for database compare.
webserver ~ # aide --compare < aide.db.new
Must have both input databases defined for database compare.
webserver ~ #

unSpawn 09-24-2012 07:15 PM
'grep ^database_new= /etc/aide/aide.conf'?


All times are GMT -5. The time now is 07:40 PM.