Can someone post a sample aide.conf file here? For AIDE IDS

abefroman · 04-06-2008, 02:47 PM

Can someone post a sample aide.conf file here? For AIDE IDS

I know there is one in the doc but that doesn't have much in it.

TIA

unSpawn · 04-08-2008, 09:04 AM

I'm willing to help you with it but you should consider it a learning process, meaning you *have* to be willing to invest minimal time in it. Else you won't be able to understand and diagnose the output anyway. Start by posting what dirs and files you'd like to monitor (or exclude from monitoring), what you think would be the right attributes to check and what results running that configuration produced.

abefroman · 04-08-2008, 10:15 PM

Thanks! This is a appreciated and I am willing to learn, I just need a quick pointer or two to get me in the right direction.

I am having trouble understanding what syntax to use.

Lets say I want to monitor my index.html page for a change in the checksum

In aide.conf I'd think it'd be something like
/home/abe/public_html/index.html=md5

Is that close?

unSpawn · 04-09-2008, 05:31 AM

Quote:

Originally Posted by abefroman

I am having trouble understanding what syntax to use.

The default configuration file Aide comes with provides lots of examples. It explains (lists) each attribute it can check, how to compound attributes and how to apply them to entities.

Quote:

Originally Posted by abefroman

Lets say I want to monitor my index.html page for a change in the checksum
In aide.conf I'd think it'd be something like
/home/abe/public_html/index.html=md5

Since none of the custom rules do what you (think you) want, create your own. Declare it below the attribute explanations but above the files to check:
MD5ONLY = md5

then add the ruleset to your file:
/home/abe/public_html/index.html MD5ONLY

and that should be it. Often operations on or access to certain files is restricted to a specific user. A change of the MD5 hash shows the entities contents changed, but not much else. So the trade-off for less checks to perform is a quicker run, at the expense of less details in the database (and thus in reporting). Also, unless there's overruling requirements, not all system area's need to be checked at the same time. If you take for instance a system that is properly hardened, runs one service (say database), has a limited set of unprivileged users (enough for services to run and admins to SSH in) and is not exposed to the 'net directly (since serving data to a frontend and access restrictions are in effect) then the risk of exposure becomes different compared to a machine that is exposed to the 'net, runs multiple services and has multiple (changing) local user accounts. The database machine could well have separate configuration files and cronjobs targetting system binaries and configuration files, database entities and such.

abefroman · 04-11-2008, 02:33 PM

Thanks!

Its giving me an error though:
root@test [~/aide-0.13.1]# aide
124:syntax error:.
124:Error while reading configuration:.
Configuration error

Got any ideas?

This is the line in question:
122:# make check
123:
124:#Selection regexp rule
125:@@{TOPDIR}/.* Norm

This is my full config file:
root@test3 [~/aide-0.13.1]# cat /usr/local/etc/aide.conf
#
# AIDE 0.13.1
#
# example configuration file
#
# IMPORTANT NOTE!! PLEASE READ
#
# This configuration file checks the integrity of the
# AIDE package.
#
# This file is not intended to be used as the primary aide.conf file for
# your system. This file is intended to be a showcase for different
# features for aide.conf file.
#
# WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING
#
#
# Default values for the parameters are in comments before the
# corresponding line.
#

@@define TOPDIR ..

@@ifndef TOPDIR
@@define TOPDIR /
@@endif

@@ifdef DEBUG
@@define DEBUG ison
@@undef NOT_DEBUG
@@else
@@define NOT_DEBUG true
@@undef DEBUG
@@endif

@@ifhost korppi
@@define KORPPI yes
@@endif

@@ifnhost ftp
@@define BUMMER true
@@endif

# The location of the database to be read.
#database=file:aide.db
database=file:@@{TOPDIR}/doc/aide.db

# The location of the database to be written.
#database_out=sql:host

ort:database:login_name

asswd:table
#database_out=file:aide.db.new
database_out=file:aide.db.new

# Whether to gzip the output to database
# gzip_dbout=no

#verbose=5
verbose=20

#report_url=stdout
#other possibilities
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#report_url=file:/tmp/some_file.txt
#report_url=syslog:LOG_AUTH
report_url=stdout

# @@{TOPDIR} is replaced with .. when
# read by aide.
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+l+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattr: extended file attributes

# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+whirlpool

# report_attributes is a special rule definition
# the attributes listed in it are alway displayed for changed files
# in the final report
#report_attributes = u+g

# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report, it overrules report_attributes where they conflict
#ignore_list = b

# Attributes that can be used to verify that aide in intact
# by people that have downloaded it from the web.
# Let's be paranoid
Norm=l+s+n+b+md5+sha1+rmd160+sha256+sha512+whirlpool
MD5ONLY=md5

# The commented rules are just examples the rest are used by
# make check

#Selection regexp rule
@@{TOPDIR}/.* Norm
#Equals selection only the directory doc is checked and not it's children
#=@@{TOPDIR}/doc L
#Negative selection no rule is necessary but ignored if there
!@@{TOPDIR}/.*~
!@@{TOPDIR}/src/.*\.o
!@@{TOPDIR}/src/(aide|core)$ L
!@@{TOPDIR}/.*RCS
!@@{TOPDIR}/.*CVS
!@@{TOPDIR}/.*aide\.db.*
!@@{TOPDIR}/.*\.cvsignore.*
# @@{TOPDIR}/doc/.* All

/root/test p+i+l+n+u+g+s+m+c+md5
/home/abe/public_html/index.html MD5ONLY

unSpawn · 04-11-2008, 07:03 PM

I'm slightly disappointed. The config clearly reads "This file is not intended to be used as the primary aide.conf file for your system. This file is intended to be a showcase for different features for aide.conf file. WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING". Fixing the TOPDIR and database defines and using "-D" to test the result should get you going.

abefroman · 04-11-2008, 10:18 PM

Sorry, that was a pretty stupid question, I should have caught that.

Thank you for your help so far.

I've been playing with this for a few hours, studying the config file and changing various things, but its giving an error I can't figure out:
File database must have one db_spec specification

What does that mean?

Its also not recognizing the md5sum change of my test file and just keep saying its adding it.

root@test [~]# aide -D
root@test [~]# aide --init

AIDE, version 0.13.1

### AIDE database at aide.db.new initialized.

root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:06:34

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0

---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html
root@test [~]# md5sum /home/abe/public_html/index.html
95f2ef4835d4e5c316256085f83dfb7e /home/abe/public_html/index.html
root@test [~]# echo "hi">>/home/abe/public_html/index.html
root@test [~]# md5sum /home/abe/public_html/index.html
4d72c29eab6071d8e4b61ad08646b37c /home/abe/public_html/index.html
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:07:04

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0

---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-11 22:07:11

Summary:
Total number of files: 5
Added files: 1
Removed files: 0
Changed files: 0

---------------------------------------------------
Added files:
---------------------------------------------------

added: /home/abe/public_html/index.html

unSpawn · 04-12-2008, 05:52 AM

Quote:

Originally Posted by abefroman

Sorry, that was a pretty stupid question, I should have caught that.

No, it's not because it's a stupid question (there are no stupid questions: not asking *that's* stupid) but because I was just hoping you would be more careful, thorough given the stakes involved. That's all.

Quote:

Originally Posted by abefroman

File database must have one db_spec specification
What does that mean?

It means you must have exactly one database=file:/location/of/name.of.in.db and exactly one database_out=file:/location/of/name.of.out.db. The one marked "name.of.in.db" is the database Aide creates on --init and "name.of.out.db" the database it creates on --check.

Quote:

Originally Posted by abefroman

Its also not recognizing the md5sum change of my test file and just keep saying its adding it.
root@test [~]# aide -D
root@test [~]# aide --init
root@test [~]# aide
File database must have one db_spec specification
AIDE found differences between database and filesystem!!

Well, at least it noticed the difference...
You must give Aide exactly one action to perform, and you already did --config-check and --init, so then comes --check.

abefroman · 04-12-2008, 06:25 AM

Thanks! It works now.

The problem was it wasn't making the initial database.

I had to do
cp aide.db.new aide.db

and then run
aide
(which is the same as aide --check)

Before it was giving me this error:
File database must have one db_spec specification
because I create a blank file for it to write to, aide.db, and never checked to see if it was actually writing the initial database to that file. So it was giving that error because it didn't contain a db_spec statement:
@@db_spec name lname attr md5
/home/abe/public_html/index.html 0 4097 TXLCnqtgcdjkthrQhkazfA==
@@end_db

Here is the correct output which it gives now, thanks again for the help, now I'll start writing real rules.
# aide
AIDE found differences between database and filesystem!!
Start timestamp: 2008-04-12 06:02:46

Summary:
Total number of files: 5
Added files: 0
Removed files: 0
Changed files: 1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /home/abe/public_html/index.html

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /home/abe/public_html/index.html
MD5 : TXLCnqtgcdjkthrQhkazfA== , XC8wIliP4UIPZaGRgK7Pog==

unSpawn · 04-12-2008, 08:18 AM

Good to see you got it to work. Now which files to include in the database...