LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-21-2012, 08:44 AM   #1
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Rep: Reputation: 8
Aide Detects Added New File Incorrectly


Why is aide detecting these cron directories as added and new? I added them before I created/initialized the aide database.

Code:
webserver ~ # lr
total 32K
drwx------  2 root root 4.0K Sep 21 13:18 .
drwxr-xr-x 21 root root 4.0K Sep 19 04:47 ..
-rw-------  1 root root 9.9K Sep 21 01:36 .bash_history
-rw-r--r--  1 root root    0 Jun 20 21:45 .keep
-rw-------  1 root root   48 Sep 21 01:24 .lesshst
-rw-------  1 root root 5.9K Sep 21 13:03 .viminfo
webserver ~ # lr /var/spool/cron/lastrun/cron.weekly
-rw-r--r-- 1 root root 0 Sep 21 03:40 /var/spool/cron/lastrun/cron.weekly
webserver ~ # date
Fri Sep 21 13:18:46 CDT 2012
webserver ~ # aide -i && cp aide.db.new aide.db && aide

AIDE, version 0.14.2

### AIDE database at /root/aide.db.new initialized.

AIDE found differences between database and filesystem!!
Start timestamp: 2012-09-21 13:20:10

Summary:
  Total number of files:	324705
  Added files:			6
  Removed files:		0
  Changed files:		1


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/spool/cron/lastrun/cron.weekly
added: /var/spool/cron/lastrun/cron.monthly
added: /var/spool/cron/lastrun/.keep_sys-process_cronbase-0
added: /var/spool/cron/lastrun/cron.hourly
added: /var/spool/cron/lastrun/cron.daily
added: /etc/udev/rules.d/.keep_sys-fs_udev-0

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


Directory: /root
  Mtime    : 2012-09-21 13:18:57              , 2012-09-21 13:20:10
  Ctime    : 2012-09-21 13:18:57              , 2012-09-21 13:20:10
webserver ~ #
Code:
webserver ~ # cat /etc/aide/aide.conf 
# AIDE conf

database=file:/root/aide.db
database_out=file:/root/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules 
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#haval:         haval checksum
#gost:          gost checksum
#crc32:         crc32 checksum

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
All = p+i+n+u+g+s+b+m+c+md5+sha1
NoModTime = p+i+n+u+g+s+b+md5+sha1

/ All
/run n+u+g
=/var$ NoModTime
=/var/lib$ NoModTime
=/var/mlocate$ NoModTime
=/var/lib/misc$ NoModTime
=/var/lib/misc/random-seed$ NoModTime
=/var/lib/iptables/rules-save$ NoModTime
=/var/spool/cron/lastrun$ NoModTime
=/etc$ NoModTime
=/etc/udev/rules.d$ NoModTime
=/etc/mtab$ NoModTime
/tmp NoModTime


!/var/log$
!/home/one/.bash_history$
!/home/one/.bash_logout$
!/root/.bash_history$
!/root/.bash_logout$
!/home/one/to_go.tar$
!/var/lib/mlocate/mlocate.db$
!/proc$
!/dev$
!/sys$
!/root/aide.db$
!/root/aide.db.new$
!/root/.viminfo$

Last edited by dman777; 09-21-2012 at 08:45 AM.
 
Old 09-22-2012, 12:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by dman777 View Post
Why is aide detecting these cron directories as added and new?
AFAIK because you set a specific rule for directory /var/spool/cron/lastrun but none for files underneath.
 
Old 09-22-2012, 01:10 PM   #3
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Original Poster
Rep: Reputation: 8
Thank you for your reply, Aide isn't to popular and I am having trouble getting answers.

The /var/spool/cron/lastrun/ is to say "do all the attributes but don't do modification or ctime checks of this one directory(does not apply to children)). My problem is that the files underneath /var/spool/cron/lastrun/ already existed before I ran aide -i(initialized) but yet the newly initialized database doesn't contain them. Then when I run a check using that database to verify against, it finds the new files and reports them. This is even more confusing because it is using the same config/attributes as when the database was created.

Last edited by dman777; 09-22-2012 at 01:12 PM.
 
Old 09-22-2012, 01:47 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Quote:
Originally Posted by dman777 View Post
Thank you for your reply, Aide isn't to popular and I am having trouble getting answers.
You're welcome. If you don't get any answers here then there's always the aide users mailing list.


Quote:
Originally Posted by dman777 View Post
My problem is that the files underneath /var/spool/cron/lastrun/ already existed before I ran aide -i(initialized) but yet the newly initialized database doesn't contain them. Then when I run a check using that database to verify against, it finds the new files and reports them. This is even more confusing because it is using the same config/attributes as when the database was created.
Indeed, now you've explained it again that is odd. What does running --update, then not copying over the database and then running --compare show? Before you do please check if your default verbosity level is at 5 or over or else it may not report much I think.

Last edited by unSpawn; 09-24-2012 at 02:08 PM. Reason: //Typo
 
Old 09-24-2012, 01:30 PM   #5
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 224

Original Poster
Rep: Reputation: 8
I tried the above recommendations but still same outcome. However, I couldn't get compare to work:



Code:
webserver ~ # lr
total 32M
drwx------  2 root root 4.0K Sep 24 18:09 .
drwxr-xr-x 22 root root 4.0K Sep 24 04:16 ..
-rw-------  1 root root  17K Sep 24 08:45 .bash_history
-rw-r--r--  1 root root    0 Jun 20 21:45 .keep
-rw-------  1 root root   48 Sep 21 01:24 .lesshst
-rw-------  1 root root 9.5K Sep 24 07:11 .viminfo
-rw-------  1 root root  16M Sep 24 18:09 aide.db
-rw-------  1 root root  16M Sep 24 18:15 aide.db.new
webserver ~ # date
Mon Sep 24 18:21:01 CDT 2012
webserver ~ # aide --compare aide.db aide.db
Extra parameters given
webserver ~ # aide --compare aide.db        
Extra parameters given
webserver ~ # aide --help
Aide 0.14.2 

Usage: aide [options] command

Commands:
  -i, --init		Initialize the database
  -C, --check		Check the database
  -u, --update		Check and update the database non-interactively
      --compare		Compare two databases

Miscellaneous:
  -D, --config-check	Test the configuration file
  -v, --version		Show version of AIDE and compilation options
  -h, --help		Show this help message

Options:
  -c [cfgfile]	--config=[cfgfile]	Get config options from [cfgfile]
  -B "OPTION"	--before="OPTION"	Before configuration file is read define OPTION
  -A "OPTION"	--after="OPTION"	After configuration file is read define OPTION
  -r [reporter]	--report=[reporter]	Write report output to [reporter] url
  -V[level]	--verbose=[level]	Set debug message level to [level]

webserver ~ # aide --compare aide.db aide.db 
aide.db      aide.db.new  
webserver ~ # aide --compare aide.db aide.db.new 
Extra parameters given
webserver ~ # aide --compare  aide.db.new 
Extra parameters given
webserver ~ # aide --compare              
Must have both input databases defined for database compare.
webserver ~ # aide --compare < aide.db.new 
Must have both input databases defined for database compare.
webserver ~ #
 
Old 09-24-2012, 07:15 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
'grep ^database_new= /etc/aide/aide.conf'?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] AIDE 0.15.12+squeeze and config file Ztcoracat Debian 14 08-31-2012 10:10 PM
gcc 4.4.1 incorrectly detects free() of non-heap object Skaperen Programming 13 09-16-2010 06:20 AM
ntfsresize detects device size incorrectly ternarybit Linux - Software 1 08-25-2009 11:50 AM
Can someone post a sample aide.conf file here? For AIDE IDS abefroman Linux - Security 9 04-12-2008 08:18 AM
Linux (FC4) Incorrectly Detects UDMA Mode on Asus DVD E616P2 gillius Linux - Hardware 1 07-13-2005 09:35 PM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration