[Aide] My personal guide to AIDE

Russell Gadd russ.mail.lists at googlemail.com
Sat Mar 15 20:09:44 EET 2008 

Hi Marc,

Glad to make your acquaintance.

Marc Haber wrote:
> Hi Russell,
>
> On Thu, Feb 21, 2008 at 02:36:28PM +0000, Russell Gadd wrote:
>   
>> I have just set up AIDE in Debian, and have made the following guide for my
>> own use as I will probably forget these details later. I offer these to
>> anyone interested. Please let me know of any errors here. Feel free to use
>> as you desire - no guarantees.
>>     
>
> I really appreciate that effort.
>
>   
Well I'm pleased to be able to give something back to Debian, albeit 
small. I'm pretty new to Linux trying to convert from Windows (user for 
many years) and have only a rudimentary knowledge of bash, *nix tools, 
etc. Partly why I want to document things I have figured out.

The background to my usage is that I have an old (perfectly good) Compaq 
which I picked up for nothing (ran Windows 98 and was considered 
obsolete and was being scrapped) and have set it up solely to use for my 
personal internet banking. I'm nervous of using a browser on my main PC 
which, although I'm not cavalier with my internet usage, may become 
compromised. I only visit bank sites with the Compaq and I also have 
added the second multibooted system to keep a regular check on the 
banking system. Both are fairly minimal installs, the banking one uses 
XFCE running Firefox and the other hasn't had any gui installed, just 
the basic command line in order to run Aide. It's got a 30G hard drive 
but I'm only using about 3Gig. Later on I might look for a cheap 
secondhand laptop to replace this, due to space restrictions.
> <snip>
>   
>> On installation, debconf is used to query the user whether to initialize the
>> AIDE database and whether to automatically place the new database at a place
>> where aide can pick it up as a reference. aideinit, the script used to
>> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
>> DOESN'T SEEM A PROBLEM]
>>     
>
> It isn't a problem at all, the scripts invoked by debconf are just
> sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
> /var/lib/aide/aide.db.
>
> Do you want me to document that in the package?
>
>   
Would be worth a mention.
> <snip>
>   
>> Usage
>> =====
>> After installing, first look at /etc/default/aide and edit it for any tweaks
>> you want to make - the comments in it are sufficient explanation. I have
>> only modified MAILSUBJ to include the date, as otherwise my email system
>> (gmail) attaches all the reports together. Then run aideinit to initialise
>> the database. At this point if the cron job is run you would get no
>> differences reported.
>>     
>
> Actually, you would probably get a report for a new file
> /var/lib/aide/aide.db.
>
> I have added the idea with the date to the documentation.
>
>   
I use
MAILSUBJ="AIDE file integrity report $(date +"%Y-%m-%d %H:%M")"

but I expect you would want to keep $FQDN in
MAILSUBJ="AIDE file integrity report for $FQDN  $(date +"%Y-%m-%d %H:%M")"

Would you maybe add this as an alternative commented out line in the file?
>> Altering the file checking configuration
>> ========================================
>>
>> When you get long output you may want to adjust the configuration. The
>> manual for the aide binary is useful but when it talks about modifying the
>> config you have to bear in mind that the Debian config is generated
>> automatically from a series of config files in /etc/aide/aide.conf.d. The
>> actual basic config file /etc/aide/aide.conf is only a short header. The
>> real work of adjusting the config is done by modifying or adding to the
>> files in /etc/aide/aide.conf.d. Some of these files are just path patterns
>> (as in the aide manual) and some are bash scripts. I have only included the
>> path patterns in my file so it is not executable (making it executable
>> fails).
>>     
>
> I do not understand the last sentence. Can you please explain?
>
>   
Some of the files in /etc/aide/aide.conf.d are scripts. When run these 
appear to output the aide patterns (I called them "path patterns") to 
standard output. The non-executable files are just lists of path 
patterns. It obviously doesn't make sense to make these executable - for 
some reason I seem to remember that initially I made mine executable (I 
don't know why) and something went wrong, not quite sure why it should 
actually matter, but is it to do with how your routines distinguish 
between scripts and lists?

But I think this is just a red herring anyway. I think my comment should 
be removed and replaced by a better explanation of the 2 different types 
of file in /etc/aide/aide.conf.d. Something like:

    When you get long output you may want to adjust the configuration.
    The manual for the aide binary is useful but when it talks about
    modifying the config you have to bear in mind that the Debian config
    is generated automatically from a series of config files in
    /etc/aide/aide.conf.d. The actual basic config file
    /etc/aide/aide.conf is only a short header. The real work of
    adjusting the config is done by modifying or adding to the files in
    /etc/aide/aide.conf.d. Most of these files are just path patterns
    (as in the aide manual) - for example look at the file
    31_aide_syslog. However some are bash scripts, which just output
    patterns to stdout. To see how they work try executing one and see
    what it produces  e.g. 10_aide_hostname or 70_aide_dev. Personally
    in my own adjustments I have just used lists, but in some situations
    a script may be more efficient.

> <snip>
> Greetings
> Marc
>
>   
Sorry about the missing spaces - I think this was due to cutting and 
pasting in the email client.

Best wishes
Russell

More information about the Aide mailing list