[Aide] My personal guide to AIDE

Marc Haber mh+aide at zugschlus.de
Sat Mar 15 23:48:22 EET 2008 

On Sat, Mar 15, 2008 at 06:09:44PM +0000, Russell Gadd wrote:
> Marc Haber wrote:
> >> On installation, debconf is used to query the user whether to initialize the
> >> AIDE database and whether to automatically place the new database at a place
> >> where aide can pick it up as a reference. aideinit, the script used to
> >> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
> >> DOESN'T SEEM A PROBLEM]
> >>     
> >
> > It isn't a problem at all, the scripts invoked by debconf are just
> > sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
> > /var/lib/aide/aide.db.
> >
> > Do you want me to document that in the package?
> >
> >   
> Would be worth a mention.

but where? In the README?

> I use
> MAILSUBJ="AIDE file integrity report $(date +"%Y-%m-%d %H:%M")"
> 
> but I expect you would want to keep $FQDN in
> MAILSUBJ="AIDE file integrity report for $FQDN  $(date +"%Y-%m-%d %H:%M")"
> 
> Would you maybe add this as an alternative commented out line in the file?

The file now looks like:
# This is used as the subject for the e-mail reports.
# If your mail system only threads by subject, you might want to add
# some variable content here (for example $(date +%Y-%m-%d)).
MAILSUBJ="Daily AIDE report for $FQDN"

> >> Altering the file checking configuration
> >> ========================================
> >>
> >> When you get long output you may want to adjust the configuration. The
> >> manual for the aide binary is useful but when it talks about modifying the
> >> config you have to bear in mind that the Debian config is generated
> >> automatically from a series of config files in /etc/aide/aide.conf.d. The
> >> actual basic config file /etc/aide/aide.conf is only a short header. The
> >> real work of adjusting the config is done by modifying or adding to the
> >> files in /etc/aide/aide.conf.d. Some of these files are just path patterns
> >> (as in the aide manual) and some are bash scripts. I have only included the
> >> path patterns in my file so it is not executable (making it executable
> >> fails).
> >>     
> >
> > I do not understand the last sentence. Can you please explain?
> >
> >   
> Some of the files in /etc/aide/aide.conf.d are scripts. When run these 
> appear to output the aide patterns (I called them "path patterns") to 
> standard output. The non-executable files are just lists of path 
> patterns. It obviously doesn't make sense to make these executable - for 
> some reason I seem to remember that initially I made mine executable (I 
> don't know why) and something went wrong, not quite sure why it should 
> actually matter, but is it to do with how your routines distinguish 
> between scripts and lists?

Yes. If update-aide.conf finds a file with its x bit set, it executes
the file. Otherwise, it cats the file's contents verbatim to the
configuration. Making a file that doesn't hold shell code executable
will fail.

I could add more checks so that only files that really could be
executed will be executed, but that would break the systematics, IMO.

This is documented in update-aide.conf's man page, DESCRIPTION, first
paragraph. Is room for improvement there?

I would re-word the last sentence of your docs like "The file only
contains path patterns that can be copied to the configuration
verbatim, so its x bit is not set. If I make the file executeable,
this results in an invalid aide configuration."

> But I think this is just a red herring anyway. I think my comment should 
> be removed and replaced by a better explanation of the 2 different types 
> of file in /etc/aide/aide.conf.d. Something like:
> 
>     When you get long output you may want to adjust the configuration.
>     The manual for the aide binary is useful but when it talks about
>     modifying the config you have to bear in mind that the Debian config
>     is generated automatically from a series of config files in
>     /etc/aide/aide.conf.d. The actual basic config file
>     /etc/aide/aide.conf is only a short header. The real work of
>     adjusting the config is done by modifying or adding to the files in
>     /etc/aide/aide.conf.d. Most of these files are just path patterns
>     (as in the aide manual) - for example look at the file
>     31_aide_syslog. However some are bash scripts, which just output
>     patterns to stdout. To see how they work try executing one and see
>     what it produces  e.g. 10_aide_hostname or 70_aide_dev. Personally
>     in my own adjustments I have just used lists, but in some situations
>     a script may be more efficient.

That won't only work for bash scripts, but for everything that can be
executed and prints rules to its standard output. It is important to
note that the x bit is taken as the criterium whether to cat a file or
to execute it:

                if [ -x "$file" ]; then
                        $file
                else
                        cat $file
                fi

(taken - sans debug output - from update-aide.conf)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Aide mailing list