[Aide] My personal guide to AIDE

Marc Haber mh+aide at zugschlus.de
Sat Mar 15 16:26:43 EET 2008 

Hi Russell,

On Thu, Feb 21, 2008 at 02:36:28PM +0000, Russell Gadd wrote:
> I have just set up AIDE in Debian, and have made the following guide for my
> own use as I will probably forget these details later. I offer these to
> anyone interested. Please let me know of any errors here. Feel free to use
> as you desire - no guarantees.

I really appreciate that effort.

> The AIDE configuration used by the Debian scripts is maintained in
> /etc/aide/aide.conf and /etc/aide/aide.conf.d. The script
> update-aide.confis used to concatenate /etc/aide/aide.conf
> and/etc/aide/aide.conf.d to
> /var/lib/aide/config.autogenerated,

s/update-aide.confis/update-aide.conf is/

> On installation, debconf is used to query the user whether to initialize the
> AIDE database and whether to automatically place the new database at a place
> where aide can pick it up as a reference. aideinit, the script used to
> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
> DOESN'T SEEM A PROBLEM]

It isn't a problem at all, the scripts invoked by debconf are just
sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
/var/lib/aide/aide.db.

Do you want me to document that in the package?

> Main work of the aide package happens in a daily cron job, which is
> installed to /etc/cron.daily/aide and thus runs as part of
> cron.dailyprocessing.

s/cron.dailyprocessing/cron.daily processing/

> Usage
> =====
> After installing, first look at /etc/default/aide and edit it for any tweaks
> you want to make - the comments in it are sufficient explanation. I have
> only modified MAILSUBJ to include the date, as otherwise my email system
> (gmail) attaches all the reports together. Then run aideinit to initialise
> the database. At this point if the cron job is run you would get no
> differences reported.

Actually, you would probably get a report for a new file
/var/lib/aide/aide.db.

I have added the idea with the date to the documentation.

> Altering the file checking configuration
> ========================================
> 
> When you get long output you may want to adjust the configuration. The
> manual for the aide binary is useful but when it talks about modifying the
> config you have to bear in mind that the Debian config is generated
> automatically from a series of config files in /etc/aide/aide.conf.d. The
> actual basic config file /etc/aide/aide.conf is only a short header. The
> real work of adjusting the config is done by modifying or adding to the
> files in /etc/aide/aide.conf.d. Some of these files are just path patterns
> (as in the aide manual) and some are bash scripts. I have only included the
> path patterns in my file so it is not executable (making it executable
> fails).

I do not understand the last sentence. Can you please explain?

> I have created my own file 50_aide_russells which contains all my
> modifications. The number at the front of the filename appears to be used by
> the aide wrapper to decide on the order of processing of these files.

Yes, it is. The files are simply sorted alphabetically.

> After modifying any config files you need to reinitialise the database. I
> suggest
>   update-aide.conf && aideinit -y -f

That's not strictly necessary, an --update followed by a copy of the
database will suffice _and_ give a report of the changes that have
accumulated afterwards. Additionally, the aide wrapper will invoke
update-aide.conf automatically.

> update-aide.conf does the conversion of the multiple config files into
> /var/lib/aide/config.autogenerated - it looks like it is run in the aideinit
> script,

It is.

> Personal notes on my system
> ===========================
> My aide.db is 22MB - no chance of getting it on a floppy!

Yes. Unfortunately, these days, you need to choose between a complete
database or a floppy. otoh, floppies are a relic of the past.

> I have 2 Debian systems on my PC multibooted. One is used soley to run AIDE
> and when it is run, it mounts the other system's partition under a directory
> called mymain. (When booted by the boot manager, the main system can't see
> the AIDE checking system's partition, so this is secure from compromise by
> the main system.)

I won't rely on this but use a CD or a write protected USB stick
instead (which could in turn be used to hold the database as well). A
live Linux system such as grml (which is Debian based and could host
Debian's aide's package without modifications.

>       #********* the sed line below was inserted by Russell
>       #********** (note I've used semicolons as a sed delimiter to avoid
> confusion with /)
>       #********* this appends "(|mymain)" to the front of all paths
> specified
>       #********* in order to process the subdirectory tree of mymain system
> as well as this system
>       #********* also need to add to /etc/aide/aide.conf
>       #*********    @@define PREFIX (|mymain)
> 
>       (cat ${UPAC_confdir}/aide.conf 2>/dev/null; cat_parts ${UPAC_confd}) |
> \
>         removecomments \
>         | sed '\;^[=!/]; s;/;/@@{PREFIX};' \
>         >> ${UPAC_outputfile}.tmp
> 
> Resulting lines in /var/lib/aide/config.autogenerated look like:
> !/@@{PREFIX}tmp/amanda/runtar.200[0-9]{11,14}.debug$
> /@@{PREFIX}tmp/amanda$ VarDir

That's a cute idea which will be implemented in the next version of
the aide package. I changed PREFIX to ROOTPREFIX, but that's the only
change.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Aide mailing list