Can someone post a sample aide.conf file here? For AIDE IDS
Can someone post a sample aide.conf file here? For AIDE IDS
I know there is one in the doc but that doesn't have much in it. TIA |
I'm willing to help you with it but you should consider it a learning process, meaning you *have* to be willing to invest minimal time in it. Else you won't be able to understand and diagnose the output anyway. Start by posting what dirs and files you'd like to monitor (or exclude from monitoring), what you think would be the right attributes to check and what results running that configuration produced.
|
Thanks! This is a appreciated and I am willing to learn, I just need a quick pointer or two to get me in the right direction.
I am having trouble understanding what syntax to use. Lets say I want to monitor my index.html page for a change in the checksum In aide.conf I'd think it'd be something like /home/abe/public_html/index.html=md5 Is that close? |
Quote:
Quote:
MD5ONLY = md5 then add the ruleset to your file: /home/abe/public_html/index.html MD5ONLY and that should be it. Often operations on or access to certain files is restricted to a specific user. A change of the MD5 hash shows the entities contents changed, but not much else. So the trade-off for less checks to perform is a quicker run, at the expense of less details in the database (and thus in reporting). Also, unless there's overruling requirements, not all system area's need to be checked at the same time. If you take for instance a system that is properly hardened, runs one service (say database), has a limited set of unprivileged users (enough for services to run and admins to SSH in) and is not exposed to the 'net directly (since serving data to a frontend and access restrictions are in effect) then the risk of exposure becomes different compared to a machine that is exposed to the 'net, runs multiple services and has multiple (changing) local user accounts. The database machine could well have separate configuration files and cronjobs targetting system binaries and configuration files, database entities and such. |
Thanks!
Its giving me an error though: root@test [~/aide-0.13.1]# aide 124:syntax error:. 124:Error while reading configuration:. Configuration error Got any ideas? This is the line in question: 122:# make check 123: 124:#Selection regexp rule 125:@@{TOPDIR}/.* Norm This is my full config file: root@test3 [~/aide-0.13.1]# cat /usr/local/etc/aide.conf # # AIDE 0.13.1 # # example configuration file # # IMPORTANT NOTE!! PLEASE READ # # This configuration file checks the integrity of the # AIDE package. # # This file is not intended to be used as the primary aide.conf file for # your system. This file is intended to be a showcase for different # features for aide.conf file. # # WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING # # # Default values for the parameters are in comments before the # corresponding line. # @@define TOPDIR .. @@ifndef TOPDIR @@define TOPDIR / @@endif @@ifdef DEBUG @@define DEBUG ison @@undef NOT_DEBUG @@else @@define NOT_DEBUG true @@undef DEBUG @@endif @@ifhost korppi @@define KORPPI yes @@endif @@ifnhost ftp @@define BUMMER true @@endif # The location of the database to be read. #database=file:aide.db database=file:@@{TOPDIR}/doc/aide.db # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:aide.db.new # Whether to gzip the output to database # gzip_dbout=no #verbose=5 verbose=20 #report_url=stdout #other possibilities #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #report_url=file:/tmp/some_file.txt #report_url=syslog:LOG_AUTH report_url=stdout # @@{TOPDIR} is replaced with .. when # read by aide. #p: permissions #i: inode #n: number of links #l: link name #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #I: ignore changed filename #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum #crc32: crc32 checksum #R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+l+n+u+g+acl+selinux+xattrs #E: Empty group #>: Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs #The following are available if you have mhash support enabled: #gost: gost checksum #whirlpool: whirlpool checksum #The following are available when explicitly enabled using configure: #acl: access control list #selinux SELinux security context #xattr: extended file attributes # Rule definition All=R+a+sha1+rmd160+sha256+sha512+whirlpool # report_attributes is a special rule definition # the attributes listed in it are alway displayed for changed files # in the final report #report_attributes = u+g # ignore_list is a special rule definition # the attributes listed in it are not displayed in the # final report, it overrules report_attributes where they conflict #ignore_list = b # Attributes that can be used to verify that aide in intact # by people that have downloaded it from the web. # Let's be paranoid Norm=l+s+n+b+md5+sha1+rmd160+sha256+sha512+whirlpool MD5ONLY=md5 # The commented rules are just examples the rest are used by # make check #Selection regexp rule @@{TOPDIR}/.* Norm #Equals selection only the directory doc is checked and not it's children #=@@{TOPDIR}/doc L #Negative selection no rule is necessary but ignored if there !@@{TOPDIR}/.*~ !@@{TOPDIR}/src/.*\.o !@@{TOPDIR}/src/(aide|core)$ L !@@{TOPDIR}/.*RCS !@@{TOPDIR}/.*CVS !@@{TOPDIR}/.*aide\.db.* !@@{TOPDIR}/.*\.cvsignore.* # @@{TOPDIR}/doc/.* All /root/test p+i+l+n+u+g+s+m+c+md5 /home/abe/public_html/index.html MD5ONLY |
I'm slightly disappointed. The config clearly reads "This file is not intended to be used as the primary aide.conf file for your system. This file is intended to be a showcase for different features for aide.conf file. WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING". Fixing the TOPDIR and database defines and using "-D" to test the result should get you going.
|
Sorry, that was a pretty stupid question, I should have caught that.
Thank you for your help so far. I've been playing with this for a few hours, studying the config file and changing various things, but its giving an error I can't figure out: File database must have one db_spec specification What does that mean? Its also not recognizing the md5sum change of my test file and just keep saying its adding it. root@test [~]# aide -D root@test [~]# aide --init AIDE, version 0.13.1 ### AIDE database at aide.db.new initialized. root@test [~]# aide File database must have one db_spec specification AIDE found differences between database and filesystem!! Start timestamp: 2008-04-11 22:06:34 Summary: Total number of files: 5 Added files: 1 Removed files: 0 Changed files: 0 --------------------------------------------------- Added files: --------------------------------------------------- added: /home/abe/public_html/index.html root@test [~]# md5sum /home/abe/public_html/index.html 95f2ef4835d4e5c316256085f83dfb7e /home/abe/public_html/index.html root@test [~]# echo "hi">>/home/abe/public_html/index.html root@test [~]# md5sum /home/abe/public_html/index.html 4d72c29eab6071d8e4b61ad08646b37c /home/abe/public_html/index.html root@test [~]# aide File database must have one db_spec specification AIDE found differences between database and filesystem!! Start timestamp: 2008-04-11 22:07:04 Summary: Total number of files: 5 Added files: 1 Removed files: 0 Changed files: 0 --------------------------------------------------- Added files: --------------------------------------------------- added: /home/abe/public_html/index.html root@test [~]# aide File database must have one db_spec specification AIDE found differences between database and filesystem!! Start timestamp: 2008-04-11 22:07:11 Summary: Total number of files: 5 Added files: 1 Removed files: 0 Changed files: 0 --------------------------------------------------- Added files: --------------------------------------------------- added: /home/abe/public_html/index.html |
Quote:
Quote:
Quote:
You must give Aide exactly one action to perform, and you already did --config-check and --init, so then comes --check. |
Thanks! It works now.
The problem was it wasn't making the initial database. I had to do cp aide.db.new aide.db and then run aide (which is the same as aide --check) Before it was giving me this error: File database must have one db_spec specification because I create a blank file for it to write to, aide.db, and never checked to see if it was actually writing the initial database to that file. So it was giving that error because it didn't contain a db_spec statement: @@db_spec name lname attr md5 /home/abe/public_html/index.html 0 4097 TXLCnqtgcdjkthrQhkazfA== @@end_db Here is the correct output which it gives now, thanks again for the help, now I'll start writing real rules. # aide AIDE found differences between database and filesystem!! Start timestamp: 2008-04-12 06:02:46 Summary: Total number of files: 5 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /home/abe/public_html/index.html -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /home/abe/public_html/index.html MD5 : TXLCnqtgcdjkthrQhkazfA== , XC8wIliP4UIPZaGRgK7Pog== |
Good to see you got it to work. Now which files to include in the database...
|
All times are GMT -5. The time now is 07:51 PM. |