LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-06-2008, 02:47 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Rep: Reputation: 53
Can someone post a sample aide.conf file here? For AIDE IDS


Can someone post a sample aide.conf file here? For AIDE IDS

I know there is one in the doc but that doesn't have much in it.

TIA
 
Old 04-08-2008, 09:04 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,269
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
I'm willing to help you with it but you should consider it a learning process, meaning you *have* to be willing to invest minimal time in it. Else you won't be able to understand and diagnose the output anyway. Start by posting what dirs and files you'd like to monitor (or exclude from monitoring), what you think would be the right attributes to check and what results running that configuration produced.
 
Old 04-08-2008, 10:15 PM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Thanks! This is a appreciated and I am willing to learn, I just need a quick pointer or two to get me in the right direction.

I am having trouble understanding what syntax to use.

Lets say I want to monitor my index.html page for a change in the checksum

In aide.conf I'd think it'd be something like
/home/abe/public_html/index.html=md5

Is that close?

Last edited by abefroman; 04-08-2008 at 10:16 PM.
 
Old 04-09-2008, 05:31 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,269
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by abefroman View Post
I am having trouble understanding what syntax to use.
The default configuration file Aide comes with provides lots of examples. It explains (lists) each attribute it can check, how to compound attributes and how to apply them to entities.


Quote:
Originally Posted by abefroman View Post
Lets say I want to monitor my index.html page for a change in the checksum
In aide.conf I'd think it'd be something like
/home/abe/public_html/index.html=md5
Since none of the custom rules do what you (think you) want, create your own. Declare it below the attribute explanations but above the files to check:
MD5ONLY = md5

then add the ruleset to your file:
/home/abe/public_html/index.html MD5ONLY

and that should be it. Often operations on or access to certain files is restricted to a specific user. A change of the MD5 hash shows the entities contents changed, but not much else. So the trade-off for less checks to perform is a quicker run, at the expense of less details in the database (and thus in reporting). Also, unless there's overruling requirements, not all system area's need to be checked at the same time. If you take for instance a system that is properly hardened, runs one service (say database), has a limited set of unprivileged users (enough for services to run and admins to SSH in) and is not exposed to the 'net directly (since serving data to a frontend and access restrictions are in effect) then the risk of exposure becomes different compared to a machine that is exposed to the 'net, runs multiple services and has multiple (changing) local user accounts. The database machine could well have separate configuration files and cronjobs targetting system binaries and configuration files, database entities and such.
 
Old 04-11-2008, 02:33 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Thanks!

Its giving me an error though:
root@test [~/aide-0.13.1]# aide
124:syntax error:.
124:Error while reading configuration:.
Configuration error

Got any ideas?

This is the line in question:
122:# make check
123:
124:#Selection regexp rule
125:@@{TOPDIR}/.* Norm

This is my full config file:
root@test3 [~/aide-0.13.1]# cat /usr/local/etc/aide.conf
#
# AIDE 0.13.1
#
# example configuration file
#
# IMPORTANT NOTE!! PLEASE READ
#
# This configuration file checks the integrity of the
# AIDE package.
#
# This file is not intended to be used as the primary aide.conf file for
# your system. This file is intended to be a showcase for different
# features for aide.conf file.
#
# WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING
#
#
# Default values for the parameters are in comments before the
# corresponding line.
#

@@define TOPDIR ..

@@ifndef TOPDIR
@@define TOPDIR /
@@endif

@@ifdef DEBUG
@@define DEBUG ison
@@undef NOT_DEBUG
@@else
@@define NOT_DEBUG true
@@undef DEBUG
@@endif

@@ifhost korppi
@@define KORPPI yes
@@endif

@@ifnhost ftp
@@define BUMMER true
@@endif

# The location of the database to be read.
#database=file:aide.db
database=file:@@{TOPDIR}/doc/aide.db

# The location of the database to be written.
#database_out=sql:hostort:database:login_nameasswd:table
#database_out=file:aide.db.new
database_out=file:aide.db.new

# Whether to gzip the output to database
# gzip_dbout=no

#verbose=5
verbose=20

#report_url=stdout
#other possibilities
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#report_url=file:/tmp/some_file.txt
#report_url=syslog:LOG_AUTH
report_url=stdout

# @@{TOPDIR} is replaced with .. when
# read by aide.
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+l+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattr: extended file attributes

# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+whirlpool

# report_attributes is a special rule definition
# the attributes listed in it are alway displayed for changed files
# in the final report
#report_attributes = u+g

# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report, it overrules report_attributes where they conflict
#ignore_list = b

# Attributes that can be used to verify that aide in intact
# by people that have downloaded it from the web.
# Let's be paranoid
Norm=l+s+n+b+md5+sha1+rmd160+sha256+sha512+whirlpool
MD5ONLY=md5

# The commented rules are just examples the rest are used by
# make check

#Selection regexp rule
@@{TOPDIR}/.* Norm
#Equals selection only the directory doc is checked and not it's children
#=@@{TOPDIR}/doc L
#Negative selection no rule is necessary but ignored if there
!@@{TOPDIR}/.*~
!@@{TOPDIR}/src/.*\.o
!@@{TOPDIR}/src/(aide|core)$ L
!@@{TOPDIR}/.*RCS
!@@{TOPDIR}/.*CVS
!@@{TOPDIR}/.*aide\.db.*
!@@{TOPDIR}/.*\.cvsignore.*
# @@{TOPDIR}/doc/.* All

/root/test p+i+l+n+u+g+s+m+c+md5
/home/abe/public_html/index.html MD5ONLY

Last edited by abefroman; 04-11-2008 at 02:47 PM.
 
Old 04-11-2008, 07:03 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,269
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
I'm slightly disappointed. The config clearly reads "This file is not intended to be used as the primary aide.conf file for your system. This file is intended to be a showcase for different features for aide.conf file. WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING". Fixing the TOPDIR and database defines and using "-D" to test the result should get you going.
 
Old 04-11-2008, 10:18 PM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Sorry, that was a pretty stupid question, I should have caught that.

Thank you for your help so far.

I've been playing with this for a few hours, studying the config file and changing various things, but its giving an error I can't figure out:
File database must have one db_spec specification

What does that mean?

Its also not recognizing the md5sum change of my test file and just keep saying its adding it.

root@test [~]# aide -D
root@test [~]# aide --init

AIDE, version 0.13.1

### AIDE database at aide.db.new initialized.

root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:06:34

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html
root@test [~]# md5sum /home/abe/public_html/index.html
95f2ef4835d4e5c316256085f83dfb7e /home/abe/public_html/index.html
root@test [~]# echo "hi">>/home/abe/public_html/index.html
root@test [~]# md5sum /home/abe/public_html/index.html
4d72c29eab6071d8e4b61ad08646b37c /home/abe/public_html/index.html
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:07:04

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:07:11

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html
 
Old 04-12-2008, 05:52 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,269
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by abefroman View Post
Sorry, that was a pretty stupid question, I should have caught that.
No, it's not because it's a stupid question (there are no stupid questions: not asking *that's* stupid) but because I was just hoping you would be more careful, thorough given the stakes involved. That's all.


Quote:
Originally Posted by abefroman View Post
File database must have one db_spec specification
What does that mean?
It means you must have exactly one database=file:/location/of/name.of.in.db and exactly one database_out=file:/location/of/name.of.out.db. The one marked "name.of.in.db" is the database Aide creates on --init and "name.of.out.db" the database it creates on --check.


Quote:
Originally Posted by abefroman View Post
Its also not recognizing the md5sum change of my test file and just keep saying its adding it.
root@test [~]# aide -D
root@test [~]# aide --init
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Well, at least it noticed the difference...
You must give Aide exactly one action to perform, and you already did --config-check and --init, so then comes --check.
 
Old 04-12-2008, 06:25 AM   #9
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Thanks! It works now.

The problem was it wasn't making the initial database.

I had to do
cp aide.db.new aide.db

and then run
aide
(which is the same as aide --check)

Before it was giving me this error:
File database must have one db_spec specification
because I create a blank file for it to write to, aide.db, and never checked to see if it was actually writing the initial database to that file. So it was giving that error because it didn't contain a db_spec statement:
@@db_spec name lname attr md5
/home/abe/public_html/index.html 0 4097 TXLCnqtgcdjkthrQhkazfA==
@@end_db

Here is the correct output which it gives now, thanks again for the help, now I'll start writing real rules.
# aide
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-12 06:02:46

Summary:
Total number of files: 5
Added files: 0
Removed files: 0
Changed files: 1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /home/abe/public_html/index.html

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /home/abe/public_html/index.html
MD5 : TXLCnqtgcdjkthrQhkazfA== , XC8wIliP4UIPZaGRgK7Pog==
 
Old 04-12-2008, 08:18 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,269
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Good to see you got it to work. Now which files to include in the database...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
aide.conf example? linuxhippy Linux - Security 12 11-02-2006 04:45 AM
AIDE + Solaris 10 blancs Solaris / OpenSolaris 3 04-27-2005 04:08 PM
How to burn AIDE to a CD? Jiggy Linux - Software 5 11-23-2003 01:21 AM
aide conf f1uke Linux - Security 1 07-29-2003 07:38 PM
aide cuckoopint Linux - Security 3 04-22-2003 02:50 PM


All times are GMT -5. The time now is 04:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration