[Aide] My personal guide to AIDE

[Russell Gadd]

I have just set up AIDE in Debian, and have made the following guide for my
own use as I will probably forget these details later. I offer these to
anyone interested. Please let me know of any errors here. Feel free to use
as you desire - no guarantees.

Russell's guide to AIDE
=======================

This just applies to Debian's version of AIDE.

Extracts from README.Debian:
============================

Debian's aide packages add some value and functionality to AIDE. Most of
this functionality is delivered by scripts and is configured via the Debian
configuration file in /etc/default/aide.

The AIDE configuration used by the Debian scripts is maintained in
/etc/aide/aide.conf and /etc/aide/aide.conf.d. The script
update-aide.confis used to concatenate /etc/aide/aide.conf
and/etc/aide/aide.conf.d to
/var/lib/aide/config.autogenerated, which is the input configuration file
for the actual aide binary. The databases are kept in /var/lib/aide by
default. update-aide.conf has a man page.

The Debian scripts invoke aide via the wrapper /usr/bin/aide.wrapper which
gives Debian-specific parameters to the aide binary. If you intend to use
AIDE for your own use, please note that aide is compiled to use /dev/null as
the default configuration file, so you _always_ need to give the path to a
configuration file. This is to prevent a local invocation of aide from
messing with the Debian database.

On installation, debconf is used to query the user whether to initialize the
AIDE database and whether to automatically place the new database at a place
where aide can pick it up as a reference. aideinit, the script used to
initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
DOESN'T SEEM A PROBLEM]

Main work of the aide package happens in a daily cron job, which is
installed to /etc/cron.daily/aide and thus runs as part of cron.dailyprocessing.

Standard output ends up in /var/log/aide/aide.log, and standard error in
/var/log/aide/error.log.

The cron job then mails aide's output to the address configured as MAILTO if
either
  - reportable changes have been found or
  - no reportable changes have been found and QUIETREPORTS is not
    set to "yes".
These mails go to root by default.

That means, that if QUIETREPORTS="yes", no message with contents "no changes
detected, everything is fine" will be sent.

If NOISE is set to a regular expression, lines matching are filtered out in
the e-mail report. This is commonly used in environments where some changes
are not important enough to be part of the e-mail report that is read by
humans, but should be in the log nevertheless for future reference. A
second, not de-noised copy of the output is included as well.

Usage
=====
After installing, first look at /etc/default/aide and edit it for any tweaks
you want to make - the comments in it are sufficient explanation. I have
only modified MAILSUBJ to include the date, as otherwise my email system
(gmail) attaches all the reports together. Then run aideinit to initialise
the database. At this point if the cron job is run you would get no
differences reported.

As above AIDE runs automatically as a cron job. I actually use anacron since
my PC is not on 24/7 - this means AIDE is run a few minutes after I log in
in the morning. It takes around 25 minutes on my system (PIII 600Mhz). This
is dependent on how many files you have to check and also how many hashes
you use. Using all the hashes seems like overkill, but as this runs in the
background I keep all these.

If you want to run AIDE manually just type /etc/cron.daily/aide (logged in
as root). If AIDE is already running (due to cron or anacron) this will
abort at some stage.

At this point you need do no more, you should get daily AIDE reports.

Altering the file checking configuration
========================================

When you get long output you may want to adjust the configuration. The
manual for the aide binary is useful but when it talks about modifying the
config you have to bear in mind that the Debian config is generated
automatically from a series of config files in /etc/aide/aide.conf.d. The
actual basic config file /etc/aide/aide.conf is only a short header. The
real work of adjusting the config is done by modifying or adding to the
files in /etc/aide/aide.conf.d. Some of these files are just path patterns
(as in the aide manual) and some are bash scripts. I have only included the
path patterns in my file so it is not executable (making it executable
fails).

I have created my own file 50_aide_russells which contains all my
modifications. The number at the front of the filename appears to be used by
the aide wrapper to decide on the order of processing of these files. Most
of the standard applications appear as number 31 so my adjustments come
later than this. Read the notes in the AIDE manual
http://www.cs.tut.fi/%7Erammer/aide/manual.html about the importance of the
order of the rules (especially the sentence: "It is generally a good idea to
write the most general rules last.").

Some gotchas about setting up your aide.conf.d files:
  Make sure you escape any dots in filenames:
!/home/(anotheruser|russell)/\.cache/xfce4/desktop
  The round brackets in the above line are useful for specifying
alternatives to make the spec shorter.
  Add a $ to the end of the line if you are specifying only one file:
!/var/log/exim4/mainlog$
  If you add directories or files to be checked don't forget to add the
checking rule at the end (in this case Logs): /var/log/cups Logs
  You can include comment lines with hashes
  Sort your lines to make it easier to find and modify later
  You can use variables (I haven't): (extract from
http://linux.die.net/man/5/aide.conf)
    @@define VAR val
      Define variable VAR to value val
    Later in the file you can use @@{VAR} anywhere:
      @@{VAR} is replaced with the value of the variable VAR. If variable
VAR is not defined an empty string is used. One special VAR is @@{HOSTNAME}
which is substituted for the hostname of the current system.

After modifying any config files you need to reinitialise the database. I
suggest
  update-aide.conf && aideinit -y -f
update-aide.conf does the conversion of the multiple config files into
/var/lib/aide/config.autogenerated - it looks like it is run in the aideinit
script, my bash isn't good enough to be sure of this, so executed it first
anyway, only takes a second or two. aideinit recreates the database and the
options -y -f ensure it is written over the old version.
The next cron run will use the updated config and database.

Personal notes on my system
===========================
My aide.db is 22MB - no chance of getting it on a floppy!

I have 2 Debian systems on my PC multibooted. One is used soley to run AIDE
and when it is run, it mounts the other system's partition under a directory
called mymain. (When booted by the boot manager, the main system can't see
the AIDE checking system's partition, so this is secure from compromise by
the main system.) When running the AIDE check, I can therefore check both
systems at the same time. I use the same rules for both systems. So to do
this I have made a special fix (see the sed line below) in the script
/usr/sbin/update-aide.conf (near the end of this script) which adds a prefix
"(|mymain) " to all the paths AFTER update-aide.conf has processed all the
aide.conf.d files. (I got this idea from "how to audit vservers and chroots
from the host system" in README.Debian):

      #********* the sed line below was inserted by Russell
      #********** (note I've used semicolons as a sed delimiter to avoid
confusion with /)
      #********* this appends "(|mymain)" to the front of all paths
specified
      #********* in order to process the subdirectory tree of mymain system
as well as this system
      #********* also need to add to /etc/aide/aide.conf
      #*********    @@define PREFIX (|mymain)

      (cat ${UPAC_confdir}/aide.conf 2>/dev/null; cat_parts ${UPAC_confd}) |
\
        removecomments \
        | sed '\;^[=!/]; s;/;/@@{PREFIX};' \
        >> ${UPAC_outputfile}.tmp

Resulting lines in /var/lib/aide/config.autogenerated look like:
!/@@{PREFIX}tmp/amanda/runtar.200[0-9]{11,14}.debug$
/@@{PREFIX}tmp/amanda$ VarDir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20080221/5c19d779/attachment.html