[Aide] DARC - Distributed Aide Runtime Controller

Bob Proulx bob at proulx.com
Fri May 27 07:16:36 EEST 2005 

jacob martinson wrote:
> The process works like this:

Thanks for sharing that.  I think you are on the right track.  Mostly
because I do the same thing here too.  It just seems like the right
way to monitor systems.  Let me share my hackish process as well.
It is no where near as fleshed out as yours.  But I use it daily on my
systems.

> - For each host being monitored, a platform-specific aide binary is
> copied by sftp to the target host.  The filename can be made random if
> you have a random text generator available on the management system.

I use a name that is unique-enough in my environment.

  tmpdir=/var/tmp/$(hostname).$$

Then I ensure that it will be created by root trying to avoid race
case attacks.  Note that 'mkdir -m' does perform the chmod as a second
step and the two are not atomic operations.  I am just combining them
for compactness not atomicity.

  ssh $host "until mkdir -m 0700 $tmpdir; do rm -rf $tmpdir; done"

After this all work is done in the subdirectory.  I set a trap to make
sure that if things get interrupted that the program is killed and the
directory cleaned up.  This cleanup is by no means perfect but it has
seemed to be good-enough.

  trap 'ssh $host "PATH=/usr/bin:/bin:/usr/sbin:/sbin:$PATH ; fuser -k $tmpdir/aide ; rm -rf $tmpdir"' EXIT

> - The aide binary is executed over ssh in "initialize" mode with the
> configuration fed to aide's stdin.
> - The resulting databases are written to aide's stdout and captured to
> the filesystem of the management server, and the remote binaries are
> deleted over sftp.

I am using scp instead of sftp.

> - Aide processes on the management system compare the new databases to
> existing baselines and a single report is generated with output from
> any "differences found" reports.

I don't combine reports.  But I grep through the output looking for
different clues and then mail a summary.  If the summary warrants it
then I look at the full report.

> It's implemented in shell and is in a working, but crude state at this
> point.  The python version will have the following improvements:
> 
> - easier configuration
> - better error handling and reporting 
> - pluggable/configurable alert methods
> - "nicer" reporting, with summary/executive info at the top (# hosts
> checked, # hosts with violations, # hosts we were unable to check b/c
> of network or authentication problems, etc)
> - better concurrency control for really large environments

Looks interesting.  Perhaps one day I will replace my quick hacks with
your new project.

Bob

More information about the Aide mailing list