[Aide] My personal guide to AIDE

Russell Gadd russ.mail.lists at googlemail.com
Sun Mar 16 14:31:13 EET 2008


Hi Marc,

Marc Haber wrote:
> On Sat, Mar 15, 2008 at 06:09:44PM +0000, Russell Gadd wrote:
>   
>> Marc Haber wrote:
>>     
>>>> On installation, debconf is used to query the user whether to initialize the
>>>> AIDE database and whether to automatically place the new database at a place
>>>> where aide can pick it up as a reference. aideinit, the script used to
>>>> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
>>>> DOESN'T SEEM A PROBLEM]
>>>>     
>>>>         
>>> It isn't a problem at all, the scripts invoked by debconf are just
>>> sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
>>> /var/lib/aide/aide.db.
>>>
>>> Do you want me to document that in the package?
>>>
>>>   
>>>       
>> Would be worth a mention.
>>     
>
> but where? In the README?
>
>   

First I'd just say that I don't remember answering questions on 
installation - maybe it did ask them, I really can't remember. But my 
point is when I read "debconf is used to ..." I wasn't sure whether this 
meant that I should somehow invoke debconf or whether it should have 
been done automatically on installation. (Probably my ignorance of 
package management). So my comment was more along the lines of a 
personal note "if this is telling me to run debconf, I didn't and it 
didn't seem to matter". Later in my document I explicity suggest running 
aideinit after tweaking /etc/default/aide.

As regards documentation, I've now had another look at it. In the hope 
it helps, I will offer up some suggestions from a user perspective. I 
think the man pages are fine and don't need any improvement. But I think 
the README could be organised slightly differently. I would move the 
section on /usr/bin/aide.wrapper to below the section on the daily cron 
job. Then you start with the top 3 paragraphs of overview, which are fine.

I would follow this by a sort of HOWTO section which covers set up and 
management. (my ideas which follow are only in outline) It would start 
by saying that in normal use aide runs unattended as a daily cron job 
/etc/cron.daily/aide which is explained below. In its default setup, if 
you do nothing more, you will start to see daily reports, which are very 
likely to contain much more output than you need to focus your attention 
on, so you will want to modify the setup. First consider the main Debian 
configuration file /etc/default/aide which is extensively commented. 
Then consider and alter or add to /etc/aide/aide.conf and 
/etc/aide/aide.conf.d (may want to mention checking the man page of 
update-aide.conf which uses these files). Mention the executable point 
here. Before doing any modifications you might want to back up ... 
(configs and databases). After doing any modifications you need to rerun 
aideinit and update the reference database otherwise on the next run you 
will get a spurious comparison between a newly generated database and 
the old reference database. You can test your new config by explicitly 
running /etc/aide/aide.conf.d (which will abort if a run is already in 
progress). However this will of course not show any changes unless some 
other processing has taken place in the system meanwhile, so you may 
want to wait a while before doing another run - suggest wait for the 
next daily job, and compare this to the last one pre-modification. Once 
you are happy with the reports are what you need, you will only need to 
revisit the setup when the output grows to be unmanageable. For example, 
whenever the system is updated you should see a lot of output showing 
the changes. Once you are satisfied that nothing is amiss with the 
updates, you can make these a permanent part of the reference database 
by rerunning aideinit again. Of course you may need to tweak the configs 
again if you install new packages

The next section of your README then explains the daily cron job and 
further sections add special information.

If you don't think this stuff should be in a README let me know. 
Alternatively if you want me to have a stab at writing this section I'd 
be happy to make up a draft.
>> <snip>
>>
>> ...., but is it to do with how your routines distinguish 
>> between scripts and lists?
>>     
>
> Yes. If update-aide.conf finds a file with its x bit set, it executes
> the file. Otherwise, it cats the file's contents verbatim to the
> configuration. Making a file that doesn't hold shell code executable
> will fail.
>
> I could add more checks so that only files that really could be
> executed will be executed, but that would break the systematics, IMO.
>   
I agree, keep it clean.
> This is documented in update-aide.conf's man page, DESCRIPTION, first
> paragraph. Is room for improvement there?
>   
No, the man page is fine. I needed to re-read it. Please remember that 
my document is just a personal attempt to put in one place the things I 
need to be reminded of.
> I would re-word the last sentence of your docs like "The file only
> contains path patterns that can be copied to the configuration
> verbatim, so its x bit is not set. If I make the file executeable,
> this results in an invalid aide configuration."
>
>   
My doc now reads:

Most of these files are just path patterns (as in the aide manual) which 
are copied to the configuration verbatim - for example look at the file 
31_aide_syslog. However some are scripts, which output the patterns to 
stdout. You could use any executable file which outputs to stdout: 
update-aide.conf determines whether to execute the file or just copy the 
text in the file according to whether the file is executable. Personally 
in my own adjustments I have just used lists.

> That won't only work for bash scripts, but for everything that can be
> executed and prints rules to its standard output. It is important to
> note that the x bit is taken as the criterium whether to cat a file or
> to execute it:
>
>                 if [ -x "$file" ]; then
>                         $file
>                 else
>                         cat $file
>                 fi
>
> (taken - sans debug output - from update-aide.conf)
>
>   
Point taken
> Greetings
> Marc
>
>   
Best wishes
Russell


More information about the Aide mailing list